CVE-2026-34445: ONNX: property overwrite via crafted model file

GHSA-538c-55jv-c5g9 HIGH
Published April 1, 2026
CISO Take

Any ML pipeline loading ONNX models from untrusted sources is exposed to availability disruption and potential integrity compromise — no credentials or user interaction required, just deliver a crafted .onnx file. Upgrade to ONNX 1.21.0 immediately and enforce model provenance controls in all inference and training pipelines. ONNX is ubiquitous across the ML stack; assume broad exposure until patched.

What is the risk?

High risk (CVSS 8.6). Exploitability is straightforward: an attacker only needs to deliver a crafted ONNX model to a target that loads it — no authentication, no user interaction, network-reachable. Primary exposure is in organizations ingesting ONNX models from external registries, APIs, or community hubs without integrity validation. The lack of CISA KEV inclusion suggests no confirmed in-the-wild exploitation, but the low exploit barrier and wide ONNX adoption make this a high-priority patch with a short remediation window.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
ONNX pip <= 1.20.1 1.21.0
21.1K OpenSSF 8.8 1.2K dependents Pushed 6d ago 91% patched ~44d to patch Full package profile →

Do you use ONNX? You're affected.

How severe is it?

CVSS 3.1
8.6 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 21% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I Low
A High

What should I do?

5 steps
  1. Patch: Upgrade onnx to >=1.21.0 immediately — fix is available and referenced in commit e30c693.

  2. Model provenance: Enforce cryptographic signing and hash verification for all ONNX model files before loading; reject models from unverified sources.

  3. Sandboxing: Load untrusted models in isolated environments (containers, VMs) with restricted filesystem and network access and resource limits.

  4. Allowlisting: Restrict model sources to internal registries or verified hashes only; block auto-downloads from public hubs in production pipelines.

  5. Detection: Audit onnx version in all environments via dependency scanning (pip list | grep onnx); alert on version < 1.21.0 in production. Monitor for abnormal memory or CPU spikes during model loading as a behavioral indicator.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.6 - AI system supply chain management A.9.3 - AI system inputs
NIST AI RMF
GOVERN-1.7 - Processes for AI risk management across the organization MANAGE-2.2 - Mechanisms to sustain value and respond to risks in deployed AI
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-34445?

Any ML pipeline loading ONNX models from untrusted sources is exposed to availability disruption and potential integrity compromise — no credentials or user interaction required, just deliver a crafted .onnx file. Upgrade to ONNX 1.21.0 immediately and enforce model provenance controls in all inference and training pipelines. ONNX is ubiquitous across the ML stack; assume broad exposure until patched.

Is CVE-2026-34445 actively exploited?

No confirmed active exploitation of CVE-2026-34445 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34445?

1. Patch: Upgrade onnx to >=1.21.0 immediately — fix is available and referenced in commit e30c693. 2. Model provenance: Enforce cryptographic signing and hash verification for all ONNX model files before loading; reject models from unverified sources. 3. Sandboxing: Load untrusted models in isolated environments (containers, VMs) with restricted filesystem and network access and resource limits. 4. Allowlisting: Restrict model sources to internal registries or verified hashes only; block auto-downloads from public hubs in production pipelines. 5. Detection: Audit onnx version in all environments via dependency scanning (pip list | grep onnx); alert on version < 1.21.0 in production. Monitor for abnormal memory or CPU spikes during model loading as a behavioral indicator.

What systems are affected by CVE-2026-34445?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps pipelines, model registry, inference pipelines, CI/CD model validation.

What is the CVSS score for CVE-2026-34445?

CVE-2026-34445 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.29%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesMLOps pipelinesmodel registryinference pipelinesCI/CD model validation

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.1.6, A.9.3
NIST AI RMF: GOVERN-1.7, MANAGE-2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.

Exploitation Scenario

An adversary uploads a maliciously crafted ONNX model to a public model hub (HuggingFace, ONNX Model Zoo mirror, or internal registry via a compromised contributor account). The model contains ExternalDataInfo entries with unexpected key names; when processed via Python's setattr(), these overwrite internal object properties — for example, corrupting length or offset fields to trigger uncontrolled memory allocation or resource exhaustion. An ML engineer pulls the model for inference benchmarking, or a CI/CD pipeline auto-downloads it for automated validation; loading the file triggers the vulnerability causing DoS or potential memory corruption exploitable for privilege escalation in the hosting environment. In a multi-tenant model serving platform, a single malicious upload could impact all tenants sharing the ONNX loading infrastructure.

Weaknesses (CWE)

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

  • [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
  • [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Timeline

Published
April 1, 2026
Last Modified
April 1, 2026
First Seen
April 1, 2026

Related Vulnerabilities