CVE-2026-59806 is an open redirect and server-side request forgery vulnerability in Gradio before 6.20.0. The vulnerability allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the file_fetch() function in the /gradio_api/file= endpoint. Affected product deployments should be reviewed for exposure, and owners should be assigned for fo [truncated]
Gradio versions prior to 6.15.0 contain a session fixation vulnerability stemming from a shared module-level HTTP client in the reverse proxy endpoint. The shared client stores cookies returned by any Hugging Face Space and automatically replays them into subsequent proxy requests to other Spaces, enabling cross-Space session fixation. An attacker controlling a malicious Space can inject a parent-domain c [truncated]