CVE-2026-27489: ONNX: symlink path traversal allows arbitrary file read
GHSA-3r9x-f23j-gc73 HIGH PoC AVAILABLE CISA: TRACK*Any ML pipeline that loads ONNX model files from untrusted sources is exposed to arbitrary file read on the host system. A crafted model containing symlinks can leak credentials, secrets, or config files at load time — no code execution required from the attacker. Upgrade to ONNX 1.21.0 immediately; if you operate model registries or accept user-uploaded models, treat this as urgent.
What is the risk?
Risk is HIGH for organizations that load ONNX models from external sources (HuggingFace, model marketplaces, third-party vendors). The vulnerability is trivially exploitable — creating a malicious ONNX model with symlinks requires no specialized knowledge. The attack surface is broad: ONNX is the de facto interoperability format across PyTorch, TensorFlow, and virtually every production ML stack. Environments where model loading co-locates with cloud credentials, API keys, or internal config files face immediate credential exposure risk. CVSS is not yet scored, but the combination of low complexity, no auth required, and high-value targets in typical ML environments warrants HIGH priority.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| ONNX | pip | <= 1.20.0 | 1.21.0 |
Do you use ONNX? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH
Upgrade onnx pip package to >= 1.21.0 across all environments (dev, staging, prod). Run: pip install --upgrade onnx.
-
AUDIT
Identify all pipeline stages that call onnx.load() or equivalent — include CI/CD, model converters, serving layers.
-
SANDBOX
Load untrusted ONNX models in isolated environments (containers with read-only mounts, no secrets, minimal filesystem exposure).
-
VALIDATE PROVENANCE
Implement model signing or hash verification before loading; reject models from unverified sources.
-
DETECT
Alert on unexpected file access patterns from Python processes loading model files — specifically symlink resolution outside expected model directories.
-
SHORT-TERM WORKAROUND (if patching is blocked): Scan ONNX model archives for symlinks before loading using: python -c "import zipfile; z=zipfile.ZipFile('model.onnx'); [print(i) for i in z.infolist() if i.create_system==3]" (ONNX protobuf files embedded in zip containers).
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-27489?
Any ML pipeline that loads ONNX model files from untrusted sources is exposed to arbitrary file read on the host system. A crafted model containing symlinks can leak credentials, secrets, or config files at load time — no code execution required from the attacker. Upgrade to ONNX 1.21.0 immediately; if you operate model registries or accept user-uploaded models, treat this as urgent.
Is CVE-2026-27489 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-27489, increasing the risk of exploitation.
How to fix CVE-2026-27489?
1. PATCH: Upgrade onnx pip package to >= 1.21.0 across all environments (dev, staging, prod). Run: pip install --upgrade onnx. 2. AUDIT: Identify all pipeline stages that call onnx.load() or equivalent — include CI/CD, model converters, serving layers. 3. SANDBOX: Load untrusted ONNX models in isolated environments (containers with read-only mounts, no secrets, minimal filesystem exposure). 4. VALIDATE PROVENANCE: Implement model signing or hash verification before loading; reject models from unverified sources. 5. DETECT: Alert on unexpected file access patterns from Python processes loading model files — specifically symlink resolution outside expected model directories. 6. SHORT-TERM WORKAROUND (if patching is blocked): Scan ONNX model archives for symlinks before loading using: python -c "import zipfile; z=zipfile.ZipFile('model.onnx'); [print(i) for i in z.infolist() if i.create_system==3]" (ONNX protobuf files embedded in zip containers).
What systems are affected by CVE-2026-27489?
This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps/CI-CD model validation, model registries, on-device inference.
What is the CVSS score for CVE-2026-27489?
CVE-2026-27489 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.59%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0025 Exfiltration via Cyber Means AML.T0037 Data from Local System AML.T0058 Publish Poisoned Models Compliance Controls Affected
What are the technical details?
Original Advisory
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0.
Exploitation Scenario
Attacker publishes a malicious ONNX model to a public model hub (HuggingFace, ONNX Model Zoo mirror, PyPI-hosted model package). Inside the model archive, they embed a symlink: model_weights -> /run/secrets/kubernetes.io/serviceaccount/token. A victim's automated ML pipeline — say a model validation job in a Kubernetes-based MLOps platform — downloads and calls onnx.load() on the model during validation. The ONNX library follows the symlink and reads the Kubernetes service account token, which the attacker can then use to authenticate against the cluster API. Alternatively, in a less cloud-native scenario: a data scientist downloads and loads the model locally, exposing ~/.aws/credentials or ~/.ssh/id_rsa. The attack requires zero interaction beyond distributing the model file — a realistic supply chain vector given how freely ONNX models are shared.
Weaknesses (CWE)
CWE-23 Relative Path Traversal
Primary
CWE-23 Relative Path Traversal
Primary
CWE-61 UNIX Symbolic Link (Symlink) Following
Primary
CWE-61 UNIX Symbolic Link (Symlink) Following
Primary
CWE-23 Relative Path Traversal CWE-61 UNIX Symbolic Link (Symlink) Following CWE-23 — Relative Path Traversal: The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Implementation] Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked. Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes: realpath() in C getCanonicalPath() in Java GetFullPath() in ASP.NET realpath() or abs_path() in Perl realpath() in PHP
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-28500 9.1 onnx: Integrity Verification bypass enables tampering
Same package: onnx CVE-2024-5187 8.8 ONNX: path traversal in model download enables RCE
Same package: onnx CVE-2026-34445 8.6 ONNX: property overwrite via crafted model file
Same package: onnx CVE-2024-7776 8.1 ONNX: path traversal in download_model enables RCE
Same package: onnx GHSA-q56x-g2fj-4rj6 7.1 onnx: TOCTOU symlink following enables arbitrary file write
Same package: onnx