Improper access control in Gradio - CVE-2024-47084
Published: October 10, 2024 / Updated: April 28, 2026
Gradio
Detailed vulnerability description
The vulnerability allows a remote user to make unauthorized requests and disclose sensitive information.
The vulnerability exists due to improper access control in CustomCORSMiddleware when handling cross-origin requests with a cookie present. A remote user can host a malicious website to make unauthorized requests and disclose sensitive information.
This impacts locally deployed instances that use basic authentication, and exploitation requires the victim to visit a malicious website while logged in.