CVE-2026-48545 Overview
CVE-2026-48545 is a session fixation vulnerability in Gradio versions before 6.15.0. The flaw resides in the reverse proxy endpoint, which uses a single module-level httpx.AsyncClient shared across all users and Spaces. Because the shared client retains a global cookie jar, any attacker-controlled Hugging Face Space can return a parent-domain Set-Cookie header that the client stores and replays to other proxied Spaces. This enables cross-Space session fixation against every user of the same Gradio deployment. The issue is tracked as [CWE-384: Session Fixation] and referenced in GHSA-2mr9-9r47-px2g.
Critical Impact
Attackers controlling a single Hugging Face Space can inject cookies into requests made to any other Space sharing the proxy, enabling session fixation and account compromise across tenants.
Affected Products
- Gradio versions prior to 6.15.0
- Hugging Face Spaces deployments running vulnerable Gradio releases
- Applications using Gradio's /proxy= reverse proxy endpoint
Discovery Timeline
- 2026-05-27 - CVE-2026-48545 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-48545
Vulnerability Analysis
The vulnerability stems from Gradio's reverse proxy implementation in gradio/routes.py. A single httpx.AsyncClient instance was instantiated at module scope and reused for all /proxy= requests. The httpx.AsyncClient maintains an internal cookie jar by default, persisting any Set-Cookie headers returned by upstream responses. When a malicious Space responded with a cookie scoped to the parent *.hf.space domain, the shared client stored it. Subsequent proxy requests to legitimate Spaces then replayed that attacker-controlled cookie, fixing session identifiers for every user routed through the same Gradio process.
Root Cause
The root cause is improper isolation of HTTP client state across security boundaries. The shared cookie jar violated tenant isolation between Spaces. Cookies set by one upstream were trusted and forwarded to unrelated upstreams, conflating responses from different origins into one global session context.
Attack Vector
An attacker hosts a malicious Hugging Face Space that returns a Set-Cookie header with a parent-domain scope. When any user triggers a /proxy= request to that Space, the cookie enters the shared jar. The attacker then waits for victims to load other Spaces through the same Gradio reverse proxy, where the injected cookie is replayed, fixing a session the attacker controls.
templates = Jinja2Templates(directory=STATIC_TEMPLATE_LIB)
templates.env.filters["toorjson"] = toorjson
-client = httpx.AsyncClient(
+# Shared transport keeps the connection pool warm without sharing an
+# `httpx.AsyncClient` (and therefore a cookie jar) across `/proxy=` requests.
+# A single shared `AsyncClient` would persist `Set-Cookie` headers from one
+# proxied response and replay them on subsequent requests to any sibling
+# `*.hf.space` URL — see GHSA-2mr9-9r47-px2g.
+_proxy_transport = httpx.AsyncHTTPTransport(
limits=httpx.Limits(
max_connections=100,
max_keepalive_connections=20,
),
- timeout=httpx.Timeout(10.0),
)
Source: Gradio commit feb7237. The patch replaces the shared AsyncClient with a shared AsyncHTTPTransport, preserving connection pooling while ensuring each proxy request uses an isolated cookie jar.
Detection Methods for CVE-2026-48545
Indicators of Compromise
- Unexpected Set-Cookie headers with parent-domain scope (e.g., Domain=.hf.space) in responses proxied through /proxy=.
- Session identifiers reused across unrelated Spaces or user contexts within the same Gradio process.
- Outbound proxy requests carrying Cookie headers that were not initiated by the requesting client.
Detection Strategies
- Inspect Gradio deployments to confirm version 6.15.0 or later using package inventory tools.
- Audit reverse proxy logs for anomalous Set-Cookie responses originating from third-party Spaces.
- Correlate session token reuse across distinct tenants in application logs to surface fixation attempts.
Monitoring Recommendations
- Enable verbose logging on the /proxy= endpoint and forward to a centralized analytics platform.
- Alert on outbound proxy requests that include cookies not present in the originating client request.
- Track Gradio release versions across managed Spaces and flag instances below 6.15.0.
How to Mitigate CVE-2026-48545
Immediate Actions Required
- Upgrade Gradio to version 6.15.0 or later across all deployments. See the Gradio 6.15.0 release.
- Review the VulnCheck advisory and apply guidance to multi-tenant Hugging Face Space hosts.
- Invalidate active sessions for users who interacted with untrusted Spaces while a vulnerable Gradio version was deployed.
Patch Information
The fix is delivered in Gradio 6.15.0 via pull request #13384 and commit feb7237d01f359d2ad4ee42d00344e61692b3b39. The patch removes the shared httpx.AsyncClient and uses an httpx.AsyncHTTPTransport instead, allowing connection pooling without sharing cookie state across /proxy= requests.
Workarounds
- Disable or restrict the /proxy= endpoint until the upgrade is applied.
- Block parent-domain cookies (Domain=.hf.space) at an upstream gateway to prevent cross-Space replay.
- Restrict which Spaces are reachable through the reverse proxy using an allowlist of trusted upstream origins.
# Upgrade Gradio to a patched release
pip install --upgrade "gradio>=6.15.0"
# Verify installed version
python -c "import gradio; print(gradio.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
