Cyber Resilience

CVE-2026-48545

HighPublic PoC

Published: 27 May 2026

Published
27 May 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v4 7.6 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-48545 is a high-severity Session Fixation (CWE-384) vulnerability in Gradio Project Gradio. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Other ATLAS/OWASP Terms risk domain.

EU & UK References

Vulnerability details

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can…

more

return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gradio

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
Why these techniques?

Cookie injection enables forging and alternate use of web session cookies via session fixation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

gradio project
gradio
≤ 6.15.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-384

Session termination after a set interval shortens the usable lifetime of a fixed session identifier, making successful exploitation of session fixation more difficult.

addresses: CWE-384

Re-authentication typically forces issuance of a new session, limiting the window for exploitation of a previously fixed session identifier.

addresses: CWE-384

Enforces proper session ID generation and binding, preventing fixation of a known session token.

References