CVE-2026-1462: Keras safe_mode bypass allows RCE

Q: Is CVE-2026-1462 actively exploited?

No confirmed active exploitation of CVE-2026-1462 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-1462?

1) Patch immediately: upgrade keras to 3.13.2, which removes the unconditional SavedModel loading in TFSMLayer.from_config(). 2) Audit all code calling keras.models.load_model() or using TFSMLayer and enforce source allowlisting — only load models from cryptographically verified internal repositories. 3) Implement model signing and SHA-256 hash verification before any .keras file enters a pipeline. 4) Run model loading operations in isolated containers with dropped capabilities, no outbound network access, and read-only mounts on sensitive directories. 5) Scan model repositories for .keras files containing TFSMLayer definitions referencing external or absolute paths. 6) Monitor ML workloads for anomalous subprocess spawning, outbound connections to non-registry hosts, or cloud metadata service queries during model load operations.

Q: What systems are affected by CVE-2026-1462?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML development environments, CI/CD model validation pipelines.

Q: What is the CVSS score for CVE-2026-1462?

CVE-2026-1462 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.36%.

CISO Take

A critical deserialization flaw in Keras 3.13.0 allows attackers to bypass safe_mode=True — the framework's explicit defense against loading untrusted models — by embedding references to attacker-controlled TensorFlow SavedModels within a .keras file, resulting in arbitrary code execution under the victim's process privileges during model loading. With 1,515 downstream dependents and EPSS placing this in the top 81% of CVEs by exploitation likelihood, any organization loading third-party .keras models faces meaningful near-term risk even without a public exploit or KEV listing. Patch to keras 3.13.2 immediately and restrict all model loading to cryptographically verified internal repositories until the fix is validated across your ML pipeline.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

CVSS 8.8 High with network-accessible attack vector and no privileges required makes this a significant threat. The safe_mode=True bypass is particularly damaging: teams that explicitly set this flag believed their pipelines were protected from untrusted model loading, creating a false sense of security in production. The combination of 1,515 downstream dependents, top-81st-percentile EPSS, and 12 prior CVEs in the same package signals a library under sustained adversarial attention. Risk is elevated in MLOps environments where .keras files regularly cross trust boundaries — model hubs, shared storage, automated CI validation — and process accounts often carry elevated cloud credentials.

How does the attack unfold?

Artifact Weaponization

Adversary crafts a malicious .keras model file with a TFSMLayer config referencing an attacker-controlled TensorFlow SavedModel containing arbitrary executable code as custom layer logic.

AML.T0018.002

Delivery via Model Distribution

The weaponized .keras file is published to a public model hub, injected into a compromised internal model registry, or delivered directly via phishing to target ML engineers.

AML.T0058

Security Control Bypass

Victim loads the model with safe_mode=True expecting protection; Keras TFSMLayer.from_config() unconditionally loads the external SavedModel without path validation, bypassing the safety flag entirely.

AML.T0011.000

Full System Compromise

Attacker payload executes under ML pipeline process privileges, enabling credential exfiltration from cloud metadata, theft of proprietary model weights, and lateral movement into training infrastructure.

AML.T0112.001

Artifact Weaponization

Adversary crafts a malicious .keras model file with a TFSMLayer config referencing an attacker-controlled TensorFlow SavedModel containing arbitrary executable code as custom layer logic.

AML.T0018.002

Delivery via Model Distribution

The weaponized .keras file is published to a public model hub, injected into a compromised internal model registry, or delivered directly via phishing to target ML engineers.

AML.T0058

Security Control Bypass

Victim loads the model with safe_mode=True expecting protection; Keras TFSMLayer.from_config() unconditionally loads the external SavedModel without path validation, bypassing the safety flag entirely.

AML.T0011.000

Full System Compromise

Attacker payload executes under ML pipeline process privileges, enabling credential exfiltration from cloud metadata, theft of proprietary model weights, and lateral movement into training infrastructure.

AML.T0112.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Keras	pip	< 3.13.2	`3.13.2`
64.1K OpenSSF 7.1 1.6K dependents Pushed 4d ago 48% patched ~32d to patch Full package profile →

Do you use Keras? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 27% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

1 step

1) Patch immediately: upgrade keras to 3.13.2, which removes the unconditional SavedModel loading in TFSMLayer.from_config(). 2) Audit all code calling keras.models.load_model() or using TFSMLayer and enforce source allowlisting — only load models from cryptographically verified internal repositories. 3) Implement model signing and SHA-256 hash verification before any .keras file enters a pipeline. 4) Run model loading operations in isolated containers with dropped capabilities, no outbound network access, and read-only mounts on sensitive directories. 5) Scan model repositories for .keras files containing TFSMLayer definitions referencing external or absolute paths. 6) Monitor ML workloads for anomalous subprocess spawning, outbound connections to non-registry hosts, or cloud metadata service queries during model load operations.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.1 - Information security for AI systems A.6.2 - AI risk management process

NIST AI RMF

MS-2.6 - Manage AI risks from third-party components

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-1462?

A critical deserialization flaw in Keras 3.13.0 allows attackers to bypass safe_mode=True — the framework's explicit defense against loading untrusted models — by embedding references to attacker-controlled TensorFlow SavedModels within a .keras file, resulting in arbitrary code execution under the victim's process privileges during model loading. With 1,515 downstream dependents and EPSS placing this in the top 81% of CVEs by exploitation likelihood, any organization loading third-party .keras models faces meaningful near-term risk even without a public exploit or KEV listing. Patch to keras 3.13.2 immediately and restrict all model loading to cryptographically verified internal repositories until the fix is validated across your ML pipeline.

Is CVE-2026-1462 actively exploited?

No confirmed active exploitation of CVE-2026-1462 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-1462?

1) Patch immediately: upgrade keras to 3.13.2, which removes the unconditional SavedModel loading in TFSMLayer.from_config(). 2) Audit all code calling keras.models.load_model() or using TFSMLayer and enforce source allowlisting — only load models from cryptographically verified internal repositories. 3) Implement model signing and SHA-256 hash verification before any .keras file enters a pipeline. 4) Run model loading operations in isolated containers with dropped capabilities, no outbound network access, and read-only mounts on sensitive directories. 5) Scan model repositories for .keras files containing TFSMLayer definitions referencing external or absolute paths. 6) Monitor ML workloads for anomalous subprocess spawning, outbound connections to non-registry hosts, or cloud metadata service queries during model load operations.

What systems are affected by CVE-2026-1462?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML development environments, CI/CD model validation pipelines.

What is the CVSS score for CVE-2026-1462?

CVE-2026-1462 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.36%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesML development environmentsCI/CD model validation pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.10.1, A.6.2

NIST AI RMF: MS-2.6

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method.

Exploitation Scenario

An adversary crafts a malicious .keras model file where TFSMLayer's serialized config references an attacker-controlled TensorFlow SavedModel — either hosted externally or embedded with a crafted local path resolved at load time. The file is published to a public model hub (e.g., Hugging Face, Kaggle), inserted into a compromised shared S3 bucket used by a target's MLOps pipeline, or delivered via spearphishing to an ML engineer. The engineer or automated CI job executes keras.models.load_model('victim_model.keras', safe_mode=True), trusting the explicit safety flag. Keras unconditionally invokes TFSMLayer.from_config() without path validation, loading and executing the adversary's SavedModel payload under the pipeline service account's privileges — which typically includes access to cloud storage containing training datasets, secrets manager credentials, and internal API tokens.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.