CVE-2026-11816: Keras path traversal

CISO Take

Keras versions prior to 3.14.0 contain a path traversal flaw in archive extraction utilities that allows an adversary-controlled archive to write files anywhere on the filesystem. The root cause is that the path safety filter validates against the process working directory rather than the actual extraction target — when that CWD is `/`, standard inside Docker containers, CI/CD runners, and Jupyter environments, every traversal path passes validation unchallenged. Keras is one of the most widely deployed ML frameworks globally and its extraction utilities fire routinely when pipelines fetch model weights, datasets, or preprocessing assets, making blast radius extremely broad; Python 3.11 installations lose their only backup safety net (`filter="data"`) entirely, leaving them fully exposed, and a secondary AttributeError bug in the zip filter causes silent incomplete extraction on blocked entries. Upgrade to Keras 3.14.0 immediately; if patching is delayed, explicitly set the process CWD to the intended extraction directory before any `get_file()` call and audit ML pipelines that unpack archives from external or untrusted sources.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High for ML environments running in Docker or CI/CD pipelines where CWD defaults to `/`. No CVSS score is assigned yet and no active exploitation is confirmed, but the attack surface is enormous — Keras is a transitive dependency of virtually every modern deep learning project. The exploitation primitive is straightforward once an attacker controls archive content, a realistic scenario via poisoned dataset repositories, model hubs, or compromised upstream sources. Python 3.11 users are fully exposed because the `filter="data"` stdlib fallback introduced in Python 3.12 is absent. The secondary AttributeError in the zip filter does not reduce severity but adds operational reliability risk and complicates detection.

How does the attack unfold?

Supply Chain Poisoning

Attacker crafts a dataset or model weights archive containing path traversal entries (e.g., ../../../../usr/local/lib/python3/site-packages/backdoor.py) and publishes it to a public repository or compromises an upstream mirror.

AML.T0010.001

Archive Fetch

Victim ML pipeline calls keras.utils.get_file() inside a Docker container (CWD=/), retrieving the malicious archive as part of a routine training or preprocessing job.

AML.T0010.002

Filter Bypass

filter_safe_tarinfos() validates archive entry paths against CWD (/) instead of the extraction destination, so all traversal paths pass the security check unchallenged.

Arbitrary File Write / Impact

Malicious files land outside the intended extraction directory — overwriting Python libraries, ML dataset files, or container entrypoints — enabling persistent code execution on next import or training data corruption in downstream model training.

AML.T0020

Supply Chain Poisoning

Attacker crafts a dataset or model weights archive containing path traversal entries (e.g., ../../../../usr/local/lib/python3/site-packages/backdoor.py) and publishes it to a public repository or compromises an upstream mirror.

AML.T0010.001

Archive Fetch

Victim ML pipeline calls keras.utils.get_file() inside a Docker container (CWD=/), retrieving the malicious archive as part of a routine training or preprocessing job.

AML.T0010.002

Filter Bypass

filter_safe_tarinfos() validates archive entry paths against CWD (/) instead of the extraction destination, so all traversal paths pass the security check unchallenged.

Arbitrary File Write / Impact

Malicious files land outside the intended extraction directory — overwriting Python libraries, ML dataset files, or container entrypoints — enabling persistent code execution on next import or training data corruption in downstream model training.

AML.T0020

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Keras	pip	—	No patch
64.1K OpenSSF 7.1 1.6K dependents Pushed 5d ago 50% patched ~32d to patch Full package profile →

Do you use Keras? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch: Upgrade to Keras 3.14.0 — commit 2465b66 fixes both the CWD-based validation logic and the zip AttributeError.
Workaround (if patching is delayed): Before any archive extraction call, set the process CWD to the intended destination via os.chdir(dest_dir) so the filter boundary matches the actual extraction target.
Python runtime: Upgrade to Python 3.12+ to benefit from the filter='data' stdlib safety net in the tarfile module.
Supply chain controls: Pin dataset and model weight checksums (SHA-256) in CI manifests and validate them before extraction; restrict which URLs Keras pipelines may fetch from via egress controls.
Detection: Audit container filesystem after model/dataset download steps for unexpected files outside the extraction directory; monitor for AttributeError exceptions in Keras archive utilities as a potential indicator of attempted exploitation against the zip filter.

How is it classified?

Supply Chain Code Execution Framework Training Data AML.T0010.001 - AI Software AML.T0010.002 - Data AML.T0019 - Publish Poisoned Datasets AML.T0020 - Poison Training Data

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.10.1 - AI supply chain management

NIST AI RMF

GOVERN-1.1 - Policies and procedures for AI risk MANAGE-2.2 - Incident response for AI risks

Frequently Asked Questions

What is CVE-2026-11816?

Keras versions prior to 3.14.0 contain a path traversal flaw in archive extraction utilities that allows an adversary-controlled archive to write files anywhere on the filesystem. The root cause is that the path safety filter validates against the process working directory rather than the actual extraction target — when that CWD is `/`, standard inside Docker containers, CI/CD runners, and Jupyter environments, every traversal path passes validation unchallenged. Keras is one of the most widely deployed ML frameworks globally and its extraction utilities fire routinely when pipelines fetch model weights, datasets, or preprocessing assets, making blast radius extremely broad; Python 3.11 installations lose their only backup safety net (`filter="data"`) entirely, leaving them fully exposed, and a secondary AttributeError bug in the zip filter causes silent incomplete extraction on blocked entries. Upgrade to Keras 3.14.0 immediately; if patching is delayed, explicitly set the process CWD to the intended extraction directory before any `get_file()` call and audit ML pipelines that unpack archives from external or untrusted sources.

Is CVE-2026-11816 actively exploited?

No confirmed active exploitation of CVE-2026-11816 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-11816?

1. Patch: Upgrade to Keras 3.14.0 — commit 2465b66 fixes both the CWD-based validation logic and the zip AttributeError. 2. Workaround (if patching is delayed): Before any archive extraction call, set the process CWD to the intended destination via `os.chdir(dest_dir)` so the filter boundary matches the actual extraction target. 3. Python runtime: Upgrade to Python 3.12+ to benefit from the `filter='data'` stdlib safety net in the `tarfile` module. 4. Supply chain controls: Pin dataset and model weight checksums (SHA-256) in CI manifests and validate them before extraction; restrict which URLs Keras pipelines may fetch from via egress controls. 5. Detection: Audit container filesystem after model/dataset download steps for unexpected files outside the extraction directory; monitor for `AttributeError` exceptions in Keras archive utilities as a potential indicator of attempted exploitation against the zip filter.

What systems are affected by CVE-2026-11816?

This vulnerability affects the following AI/ML architecture patterns: Training pipelines, Model artifact distribution, CI/CD pipelines for ML, Jupyter environments, Data preprocessing pipelines.

What is the CVSS score for CVE-2026-11816?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Training pipelinesModel artifact distributionCI/CD pipelines for MLJupyter environmentsData preprocessing pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.002 Data

AML.T0019 Publish Poisoned Datasets

AML.T0020 Poison Training Data

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.10.1

NIST AI RMF: GOVERN-1.1, MANAGE-2.2

What are the technical details?

Original Advisory

Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current working directory (CWD) instead of the actual extraction destination. When the process runs with CWD set to `/`, which is common in Docker containers, CI/CD runners, and Jupyter environments, the validation boundary becomes the filesystem root, allowing traversal paths to bypass the security check. Additionally, the zip filter contains a bug that causes an `AttributeError` when a blocked entry is encountered, leading to incomplete extraction. Furthermore, Python 3.11 installations lack the `filter="data"` safety net, leaving them entirely reliant on the flawed CWD-based filter. Exploitation of this vulnerability can result in arbitrary file writes outside the intended extraction directory, enabling attackers to overwrite configuration files, inject malicious code, or corrupt machine learning datasets and pipelines.

Exploitation Scenario

An attacker poisons a public dataset archive hosted on a popular repository — Hugging Face Hub, Kaggle, or a compromised institutional mirror — by embedding path traversal entries such as `../../../usr/local/lib/python3.11/site-packages/keras/__init__.py`. A victim's MLOps pipeline running inside a Docker container (CWD=`/`) calls `keras.utils.get_file()` to download the archive as part of a routine training job. The `filter_safe_tarinfos()` function validates the entry path against `/` rather than the extraction directory, so the traversal passes unchallenged. The malicious file overwrites the legitimate Keras `__init__.py` with an implanted version that exfiltrates model weights or injects a reverse shell callback on next Python import. The attacker achieves persistent code execution inside the training environment with zero user interaction beyond the routine dataset fetch.