SB20260427139 - Multiple vulnerabilities in onnx
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Insufficient verification of data authenticity (CVE-ID: CVE-2026-28500)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to insufficient verification of data authenticity in onnx.hub.load() when loading a model from an external repository with silent=true. A remote attacker can supply a malicious unverified repository to execute arbitrary code.
The issue suppresses trust warnings and user prompts, and the SHA256 check validates against a manifest stored in the same repository.
CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service and disclose sensitive information.
The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the ExternalDataInfo class when loading metadata from an ONNX model file. A remote attacker can supply a specially crafted model file to cause a denial of service and disclose sensitive information.
The issue can be triggered by overwriting object properties such as length or offset, and injected dunder attributes may corrupt object state.
3) Path traversal (CVE-ID: CVE-2026-34446)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper limitation of a pathname to a restricted directory in onnx.load when processing a crafted model with external data hardlinks. A remote attacker can supply a specially crafted model file to disclose sensitive information.
User interaction is required to load the crafted model.
4) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to overwrite arbitrary files.
The vulnerability exists due to time-of-check time-of-use race condition in save_external_data in onnx.external_data_helper.py when saving external tensor data to an external file. A remote attacker can replace the target file with a symlink to overwrite arbitrary files.
User interaction is required to save or re-save a model with external data.
5) Path traversal (CVE-ID: N/A)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to write files outside the intended directory on Windows systems.
The vulnerability exists due to path traversal in save_external_data in onnx.external_data_helper.py when validating external data file paths on Windows systems. A remote attacker can supply a crafted absolute path to write files outside the intended directory on Windows systems.
This issue is described as a potential validation bypass and was not fully verified in the advisory.
6) UNIX symbolic link following (CVE-ID: CVE-2026-27489)
CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to symlink following in external data loading in onnx/checker.cc when loading a model with external data files. A remote attacker can provide a crafted model package containing a symlinked external data file to disclose sensitive information.
The issue can expose arbitrary files outside the model or user-provided directory, and is not limited to UNIX environments.
7) Link following (CVE-ID: CVE-2026-34447)
CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper link resolution in resolve_external_data_location in onnx/onnx/checker.cc when loading external data for a model from a directory containing a crafted symlink. A remote attacker can place a symlink inside the model directory that points to a file outside the model directory to disclose sensitive information.
User interaction is required to load a crafted model.
Remediation
Install update from vendor's website.
References
- https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m
- https://github.com/advisories/GHSA-hqmj-h5c6-369m
- https://github.com/onnx/onnx/security/advisories/GHSA-538c-55jv-c5g9
- https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp
- https://github.com/onnx/onnx/security/advisories/GHSA-q56x-g2fj-4rj6
- https://github.com/advisories/GHSA-q56x-g2fj-4rj6
- https://github.com/onnx/onnx/security/advisories/GHSA-3r9x-f23j-gc73
- https://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj