AI Threat Alert

CVE-2026-27489: ONNX: symlink path traversal allows arbitrary file read

GHSA-3r9x-f23j-gc73 UNKNOWN PoC AVAILABLE CISA: TRACK*
Published March 31, 2026
CISO Take

Any ML pipeline that loads ONNX model files from untrusted sources is exposed to arbitrary file read on the host system. A crafted model containing symlinks can leak credentials, secrets, or config files at load time — no code execution required from the attacker. Upgrade to ONNX 1.21.0 immediately; if you operate model registries or accept user-uploaded models, treat this as urgent.

What is the risk?

Risk is HIGH for organizations that load ONNX models from external sources (HuggingFace, model marketplaces, third-party vendors). The vulnerability is trivially exploitable — creating a malicious ONNX model with symlinks requires no specialized knowledge. The attack surface is broad: ONNX is the de facto interoperability format across PyTorch, TensorFlow, and virtually every production ML stack. Environments where model loading co-locates with cloud credentials, API keys, or internal config files face immediate credential exposure risk. CVSS is not yet scored, but the combination of low complexity, no auth required, and high-value targets in typical ML environments warrants HIGH priority.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
onnx pip <= 1.20.0 1.21.0
20.8K OpenSSF 8.1 1.2K dependents Pushed 6d ago 90% patched ~29d to patch Full package profile →

Do you use onnx? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.1%
chance of exploitation in 30 days
Higher than 27% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

What should I do?

6 steps

  1. PATCH

    Upgrade onnx pip package to >= 1.21.0 across all environments (dev, staging, prod). Run: pip install --upgrade onnx.

  2. AUDIT

    Identify all pipeline stages that call onnx.load() or equivalent — include CI/CD, model converters, serving layers.

  3. SANDBOX

    Load untrusted ONNX models in isolated environments (containers with read-only mounts, no secrets, minimal filesystem exposure).

  4. VALIDATE PROVENANCE

    Implement model signing or hash verification before loading; reject models from unverified sources.

  5. DETECT

    Alert on unexpected file access patterns from Python processes loading model files — specifically symlink resolution outside expected model directories.

  6. SHORT-TERM WORKAROUND (if patching is blocked): Scan ONNX model archives for symlinks before loading using: python -c "import zipfile; z=zipfile.ZipFile('model.onnx'); [print(i) for i in z.infolist() if i.create_system==3]" (ONNX protobuf files embedded in zip containers).

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Data Extraction Framework Model AML.T0010.001 AML.T0011.000 AML.T0025 AML.T0037 AML.T0058

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system supply chain
NIST AI RMF
GOVERN-1.1 - Policies and procedures for AI risk management MAP-5.1 - AI supply chain risk identification
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-27489?

Any ML pipeline that loads ONNX model files from untrusted sources is exposed to arbitrary file read on the host system. A crafted model containing symlinks can leak credentials, secrets, or config files at load time — no code execution required from the attacker. Upgrade to ONNX 1.21.0 immediately; if you operate model registries or accept user-uploaded models, treat this as urgent.

Is CVE-2026-27489 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27489, increasing the risk of exploitation.

How to fix CVE-2026-27489?

1. PATCH: Upgrade onnx pip package to >= 1.21.0 across all environments (dev, staging, prod). Run: pip install --upgrade onnx. 2. AUDIT: Identify all pipeline stages that call onnx.load() or equivalent — include CI/CD, model converters, serving layers. 3. SANDBOX: Load untrusted ONNX models in isolated environments (containers with read-only mounts, no secrets, minimal filesystem exposure). 4. VALIDATE PROVENANCE: Implement model signing or hash verification before loading; reject models from unverified sources. 5. DETECT: Alert on unexpected file access patterns from Python processes loading model files — specifically symlink resolution outside expected model directories. 6. SHORT-TERM WORKAROUND (if patching is blocked): Scan ONNX model archives for symlinks before loading using: python -c "import zipfile; z=zipfile.ZipFile('model.onnx'); [print(i) for i in z.infolist() if i.create_system==3]" (ONNX protobuf files embedded in zip containers).

What systems are affected by CVE-2026-27489?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps/CI-CD model validation, model registries, on-device inference.

What is the CVSS score for CVE-2026-27489?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0.

Exploitation Scenario

Attacker publishes a malicious ONNX model to a public model hub (HuggingFace, ONNX Model Zoo mirror, PyPI-hosted model package). Inside the model archive, they embed a symlink: model_weights -> /run/secrets/kubernetes.io/serviceaccount/token. A victim's automated ML pipeline — say a model validation job in a Kubernetes-based MLOps platform — downloads and calls onnx.load() on the model during validation. The ONNX library follows the symlink and reads the Kubernetes service account token, which the attacker can then use to authenticate against the cluster API. Alternatively, in a less cloud-native scenario: a data scientist downloads and loads the model locally, exposing ~/.aws/credentials or ~/.ssh/id_rsa. The attack requires zero interaction beyond distributing the model file — a realistic supply chain vector given how freely ONNX models are shared.

Weaknesses (CWE)

CWE-23 Relative Path Traversal Primary CWE-23 Primary CWE-61 UNIX Symbolic Link (Symlink) Following Primary CWE-61 Primary

References

Timeline

Published
March 31, 2026
Last Modified
April 1, 2026
First Seen
April 1, 2026

Related Vulnerabilities

CRITICAL CVE-2026-28500 9.1

onnx: Integrity Verification bypass enables tampering

Same package: onnx
HIGH CVE-2024-5187 8.8

ONNX: path traversal in model download enables RCE

Same package: onnx
HIGH CVE-2026-34445 8.6

ONNX: property overwrite via crafted model file

Same package: onnx
HIGH CVE-2024-7776 8.1

ONNX: path traversal in download_model enables RCE

Same package: onnx
HIGH GHSA-q56x-g2fj-4rj6 7.1

onnx: TOCTOU symlink following enables arbitrary file write

Same package: onnx
Back to Threat Feed