Cookie Injection Vulnerability in Gradio by Gradio-App
CVE-2026-48545

7.6HIGH

Key Information:

Vendor: Gradio-app
Status: Gradio
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-48545?

Gradio, a popular open-source framework for building machine learning interfaces, has a vulnerability that allows remote attackers to exploit a shared module-level HTTP client. This flaw enables attackers controlling any HF Space to perform cross-Space session fixation. By injecting a parent-domain cookie, attackers can manipulate the shared client, which stores this cookie and automatically replays it into subsequent proxy requests to other legitimate Spaces. This can potentially compromise all users within the affected Gradio deployment, raising significant security concerns.

Affected Version(s)

gradio 0

References

https://github.com/gradio-app/gradio/releases/tag/gradio%...

release-notes

https://github.com/gradio-app/gradio/issues/13369

technical-description

https://github.com/gradio-app/gradio/pull/13384

issue-tracking

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 21, 2026

Credit

YU SUN

CVE-2026-48545 Data

JSON

Gradio-app

What is CVE-2026-48545?

Affected Version(s)

References

CVSS V4

Timeline

Credit