SB20260427139 - Multiple vulnerabilities in onnx



SB20260427139 - Multiple vulnerabilities in onnx

Published: April 27, 2026

Security Bulletin ID SB20260427139
CSH Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 43% Medium 57%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 vulnerabilities.


1) Insufficient verification of data authenticity (CVE-ID: CVE-2026-28500)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to insufficient verification of data authenticity in onnx.hub.load() when loading a model from an external repository with silent=true. A remote attacker can supply a malicious unverified repository to execute arbitrary code.

The issue suppresses trust warnings and user prompts, and the SHA256 check validates against a manifest stored in the same repository.


2) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-34445)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the ExternalDataInfo class when loading metadata from an ONNX model file. A remote attacker can supply a specially crafted model file to cause a denial of service and disclose sensitive information.

The issue can be triggered by overwriting object properties such as length or offset, and injected dunder attributes may corrupt object state.


3) Path traversal (CVE-ID: CVE-2026-34446)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper limitation of a pathname to a restricted directory in onnx.load when processing a crafted model with external data hardlinks. A remote attacker can supply a specially crafted model file to disclose sensitive information.

User interaction is required to load the crafted model.


4) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to overwrite arbitrary files.

The vulnerability exists due to time-of-check time-of-use race condition in save_external_data in onnx.external_data_helper.py when saving external tensor data to an external file. A remote attacker can replace the target file with a symlink to overwrite arbitrary files.

User interaction is required to save or re-save a model with external data.


5) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to write files outside the intended directory on Windows systems.

The vulnerability exists due to path traversal in save_external_data in onnx.external_data_helper.py when validating external data file paths on Windows systems. A remote attacker can supply a crafted absolute path to write files outside the intended directory on Windows systems.

This issue is described as a potential validation bypass and was not fully verified in the advisory.


6) UNIX symbolic link following (CVE-ID: CVE-2026-27489)

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to symlink following in external data loading in onnx/checker.cc when loading a model with external data files. A remote attacker can provide a crafted model package containing a symlinked external data file to disclose sensitive information.

The issue can expose arbitrary files outside the model or user-provided directory, and is not limited to UNIX environments.


7) Link following (CVE-ID: CVE-2026-34447)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper link resolution in resolve_external_data_location in onnx/onnx/checker.cc when loading external data for a model from a directory containing a crafted symlink. A remote attacker can place a symlink inside the model directory that points to a file outside the model directory to disclose sensitive information.

User interaction is required to load a crafted model.


Remediation

Install update from vendor's website.