HIGH
gradio-app
CVE published 2026-05-27
CVE-2026-48545
Gradio versions prior to 6.15.0 contain a session fixation vulnerability stemming from a shared module-level HTTP client in the reverse proxy endpoint. The shared client stores cookies returned by any Hugging Face Space and automatically replays them into subsequent proxy requests to other Spaces, enabling cross-Space session fixation. An attacker controlling a malicious Space can inject a parent-domain c [truncated]