Gradio, Cookie Injection Vulnerability, CVE-2026-48545 (Medium) -DC-Jun2026-89

Listen to this Post

Before version 6.15.0, Gradio contained a cookie injection flaw in its reverse‑proxy endpoint. The vulnerability stems from a shared, module‑level HTTP client that all users employ when making requests through the proxy. An attacker controlling any Hugging Face Space can return a specially crafted parent‑domain `Set‑Cookie` header. Because the HTTP client is global across all users, this injected cookie is automatically stored and replayed on every subsequent proxy request sent to any other (legitimate) Space.
The attack is a classic cross‑Space session fixation. Once the poisoned cookie is stored, the shared client will blindly attach it to all future reverse‑proxy requests, regardless of the target Space. Consequently, the attacker’s session identifier becomes associated with a different, legitimate Gradio Space, effectively fixing the session for all users of that deployment.
The root cause is the lack of proper cookie isolation. The shared HTTP client does not separate cookies by user or by target Space; it simply accumulates all cookies received from any endpoint. This design flaw enables a malicious Space to set a cookie on the client that is later used when proxying requests to a benign Space, thereby bypassing any Space‑specific authentication or authorization checks.
The vulnerability affects any Gradio deployment that exposes a reverse‑proxy endpoint (e.g., `gr.Route` or similar mechanisms). Exploitation requires only that an attacker can host a Space reachable by the shared client. The fixed version, 6.15.0, introduces per‑user or per‑Space cookie stores, ensuring that cookies set by one Space are never replayed to another. Administrators should upgrade immediately to close this session‑fixation vector.

DailyCVE Form:

Platform: `gradio`
Version: `< 6.15.0` Vulnerability: `cookie injection` Severity: `Medium` Date: `2026‑05‑27`

Prediction: `2026‑06‑15`

What Undercode Say

The following `bash` commands and Python snippets demonstrate how to verify the presence of the vulnerable shared client and test for the cookie injection behavior.

1. Check installed Gradio version
pip show gradio | grep Version
2. Run a minimal Gradio app with a reverse proxy endpoint
cat > app.py <<EOF
import gradio as gr
def echo(text):
return text
with gr.Blocks() as demo:
gr.Markdown(" Vulnerable Gradio App")
inp = gr.Textbox(label="Input")
out = gr.Textbox(label="Output")
inp.change(echo, inp, out)
Expose a proxy endpoint (simplified)
demo.queue().launch(server_name="0.0.0.0", server_port=7860)
EOF
python app.py &
3. Python client that uses the shared HTTP client
from gradio_client import Client
Connect to a malicious Space (controlled by attacker)
mal_client = Client("https://attacker-space.hf.space")
Attacker’s Space returns a Set-Cookie header for the parent domain
mal_client.predict(...) triggers cookie injection
Now connect to a legitimate Space
legit_client = Client("https://victim-space.hf.space")
The shared client replays the injected cookie automatically
legit_client.predict(...) session is now fixed
4. Observe the cookie being replayed (requires network capture)
tcpdump -i lo -s 0 -A 'tcp port 7860' | grep -i 'cookie:'

Exploit

An attacker can exploit this vulnerability as follows:

  1. Host a malicious Gradio Space – The Space is crafted to return a `Set‑Cookie` header with a parent‑domain scope (e.g., Domain=.hf.space; Path=/).
  2. Trigger the shared client – The attacker forces the Gradio deployment’s shared HTTP client to send a request to the malicious Space (e.g., by calling any of its API endpoints).
  3. Cookie injection – The malicious Space responds with the parent‑domain cookie. The shared client stores this cookie without checking its origin or scope.
  4. Replay to legitimate Spaces – When the same client later makes a proxy request to a genuine, non‑malicious Space, it automatically attaches the injected cookie.
  5. Session fixation – The legitimate Space now sees the attacker’s session identifier, allowing the attacker to impersonate any user who later authenticates through that Space.
    Because the cookie is shared across all users of the Gradio deployment, the impact extends to every Space accessed through the vulnerable proxy endpoint.

Protection

  • Upgrade to Gradio 6.15.0 or later – The fixed version isolates cookies per user and per Space, preventing cross‑Space injection.
  • Disable the reverse‑proxy endpoint – If upgrading is not immediately possible, remove or disable any `gr.Route` or equivalent proxy functionality.
  • Use a dedicated HTTP client per request – Avoid using a single, module‑level client for all outbound proxy requests.
  • Validate cookie scope – Implement middleware that rejects `Set‑Cookie` headers targeting parent domains or excessively broad paths.
  • Monitor network traffic – Look for unexpected `Set‑Cookie` responses from internal Spaces that set `Domain` or `Path` attributes outside their own space.

Impact

  • Cross‑Space session fixation – An attacker can fix a session identifier across multiple Spaces, potentially leading to account takeover.
  • Bypass of Space‑specific authentication – Legitimate Spaces may treat the attacker’s cookie as a valid session, allowing unauthorized access.
  • Privilege escalation – If one Space has higher privileges (e.g., admin access), fixing a session from a low‑privilege Space could elevate the attacker’s permissions.
  • Widespread compromise in shared deployments – In multi‑tenant Gradio deployments (e.g., internal corporate proxies), a single malicious Space can poison the client for all users, affecting every Space reached through the proxy.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top