AI Threat Alert

CVE-2026-28500: onnx: Integrity Verification bypass enables tampering

GHSA-hqmj-h5c6-369m CRITICAL CISA: TRACK*
Published March 18, 2026
CISO Take

ONNX 1.20.1 and below allows silent loading of untrusted models with zero user interaction — the `silent=True` parameter completely suppresses trust verification, turning any automated model-loading pipeline into a credential exfiltration vector. SSH keys and cloud provider credentials can be stolen the moment a model loads, with no user prompt and no log entry. No patch exists; audit all ONNX model loading code today, block `silent=True` usage in production, and rotate credentials on any system that has loaded non-official ONNX models.

What is the risk?

Critical risk for organizations with AI/ML pipelines. CVSS 9.1 with AV:N/AC:L/PR:N/UI:N means no authentication, no complexity, no user action required — the attack surface is any automated pipeline that pulls ONNX models. The absence of a patch, combined with ONNX's widespread adoption across PyTorch, TensorFlow, and Hugging Face ecosystems, makes this a systemic supply chain risk. Organizations running MLOps with automated model updates from public registries are highest risk. The 'zero-interaction' characteristic makes detection particularly difficult since nothing looks abnormal at the application layer.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
ONNX pip No patch
21.0K OpenSSF 8.8 1.2K dependents Pushed 4d ago 91% patched ~33d to patch Full package profile →
ONNX pip <= 1.20.1 1.21.0rc1
21.0K OpenSSF 8.8 1.2K dependents Pushed 4d ago 91% patched ~33d to patch Full package profile →

How severe is it?

CVSS 3.1
9.1 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Advanced
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

What should I do?

1 step

  1. IMMEDIATE (0-24h): 1) Grep all codebases for onnx.hub.load with silent=True and remove the parameter or replace with explicit trust verification. 2) Block or gate all ONNX model loads from non-official sources at code review and CI/CD level. 3) Rotate SSH keys and cloud credentials (AWS, GCP, Azure, API tokens) on any host that has executed ONNX hub loads from unverified sources. SHORT-TERM (1-7d): 4) Add SAST rule to flag silent=True in ONNX hub calls — treat as HIGH severity finding. 5) Enforce model hash verification against known-good checksums before load. 6) Sandbox ML workloads with network egress controls (no outbound except to model registry allowlist). 7) Enable egress monitoring on ML pipeline containers for anomalous outbound connections. ONGOING: 8) Subscribe to GHSA-hqmj-h5c6-369m for patch availability. 9) Implement model provenance tracking in your MLOps platform. 10) Apply least-privilege IAM to inference and training workloads.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Model Poisoning Code Execution Framework RAG API AML.T0002.001 AML.T0010.001 AML.T0010.003 AML.T0011.000 AML.T0018.002 AML.T0025 AML.T0037 AML.T0058 AML.T0074 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 17 - Quality management system Article 9 - Risk management system
ISO 42001
A.6.2.3 - Supplier and third-party relationships A.8.7 - Information security in AI system development
NIST AI RMF
GOVERN 6.1 - Policies and procedures for third-party AI components MANAGE 2.2 - Risk treatment and monitoring for AI supply chain MAP 5.1 - Likelihood of AI supply chain risks
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-28500?

ONNX 1.20.1 and below allows silent loading of untrusted models with zero user interaction — the `silent=True` parameter completely suppresses trust verification, turning any automated model-loading pipeline into a credential exfiltration vector. SSH keys and cloud provider credentials can be stolen the moment a model loads, with no user prompt and no log entry. No patch exists; audit all ONNX model loading code today, block `silent=True` usage in production, and rotate credentials on any system that has loaded non-official ONNX models.

Is CVE-2026-28500 actively exploited?

No confirmed active exploitation of CVE-2026-28500 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-28500?

IMMEDIATE (0-24h): 1) Grep all codebases for `onnx.hub.load` with `silent=True` and remove the parameter or replace with explicit trust verification. 2) Block or gate all ONNX model loads from non-official sources at code review and CI/CD level. 3) Rotate SSH keys and cloud credentials (AWS, GCP, Azure, API tokens) on any host that has executed ONNX hub loads from unverified sources. SHORT-TERM (1-7d): 4) Add SAST rule to flag `silent=True` in ONNX hub calls — treat as HIGH severity finding. 5) Enforce model hash verification against known-good checksums before load. 6) Sandbox ML workloads with network egress controls (no outbound except to model registry allowlist). 7) Enable egress monitoring on ML pipeline containers for anomalous outbound connections. ONGOING: 8) Subscribe to GHSA-hqmj-h5c6-369m for patch availability. 9) Implement model provenance tracking in your MLOps platform. 10) Apply least-privilege IAM to inference and training workloads.

What systems are affected by CVE-2026-28500?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps/CI-CD pipelines, inference infrastructure, model registries, automated model update systems.

What is the CVSS score for CVE-2026-28500?

CVE-2026-28500 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.26%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps/CI-CD pipelinesinference infrastructuremodel registriesautomated model update systems

MITRE ATLAS Techniques

AML.T0002.001 Models
AML.T0010.001 AI Software
AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0058 Publish Poisoned Models
AML.T0074 Masquerading
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 17, Article 9
ISO 42001: A.6.2.3, A.8.7
NIST AI RMF: GOVERN 6.1, MANAGE 2.2, MAP 5.1
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.

Exploitation Scenario

Attacker registers a plausible-looking model on a public ONNX model hub (e.g., `org/bert-finetuned-security-v2`), embedding a malicious custom operator that reads `~/.ssh/id_rsa`, `~/.aws/credentials`, and `~/.config/gcloud/` on load and POSTs them to an attacker-controlled endpoint. Attacker then promotes the model via a GitHub README, a benchmark leaderboard entry, or a poisoned documentation PR. A developer or automated pipeline calls `onnx.hub.load('org/bert-finetuned-security-v2', silent=True)` — the `silent=True` flag suppresses the non-official-source trust warning entirely. Model loads, malicious operator executes, credentials exfiltrated in under 500ms. No exception raised, no log entry, pipeline continues normally. Attacker uses exfiltrated AWS credentials to pivot into cloud infrastructure.

Weaknesses (CWE)

CWE-345 Insufficient Verification of Data Authenticity Primary CWE-494 Download of Code Without Integrity Check Primary CWE-693 Protection Mechanism Failure Primary CWE-345 Insufficient Verification of Data Authenticity CWE-494 Download of Code Without Integrity Check CWE-693 Protection Mechanism Failure

CWE-345 — Insufficient Verification of Data Authenticity: The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
March 18, 2026
Last Modified
June 8, 2026
First Seen
March 18, 2026

Related Vulnerabilities

HIGH CVE-2024-5187 8.8

ONNX: path traversal in model download enables RCE

Same package: onnx
HIGH CVE-2026-34445 8.6

ONNX: property overwrite via crafted model file

Same package: onnx
HIGH CVE-2024-7776 8.1

ONNX: path traversal in download_model enables RCE

Same package: onnx
HIGH GHSA-q56x-g2fj-4rj6 7.1

onnx: TOCTOU symlink following enables arbitrary file write

Same package: onnx
MEDIUM CVE-2026-55832 6.1

tract-onnx: path traversal exposes arbitrary local files

Same package: onnx
Back to Threat Feed