CVE-2026-34445 — HIGH (CVSS 8.6)

Q: Is CVE-2026-34445 actively exploited?

No confirmed active exploitation of CVE-2026-34445 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-34445?

1. Patch: Upgrade onnx to >=1.21.0 immediately — fix is available and referenced in commit e30c693. 2. Model provenance: Enforce cryptographic signing and hash verification for all ONNX model files before loading; reject models from unverified sources. 3. Sandboxing: Load untrusted models in isolated environments (containers, VMs) with restricted filesystem and network access and resource limits. 4. Allowlisting: Restrict model sources to internal registries or verified hashes only; block auto-downloads from public hubs in production pipelines. 5. Detection: Audit onnx version in all environments via dependency scanning (pip list | grep onnx); alert on version < 1.21.0 in production. Monitor for abnormal memory or CPU spikes during model loading as a behavioral indicator.

Q: What systems are affected by CVE-2026-34445?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps pipelines, model registry, inference pipelines, CI/CD model validation.

Q: What is the CVSS score for CVE-2026-34445?

CVE-2026-34445 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.21%.

CISO Take

Any ML pipeline loading ONNX models from untrusted sources is exposed to availability disruption and potential integrity compromise — no credentials or user interaction required, just deliver a crafted .onnx file. Upgrade to ONNX 1.21.0 immediately and enforce model provenance controls in all inference and training pipelines. ONNX is ubiquitous across the ML stack; assume broad exposure until patched.

What is the risk?

High risk (CVSS 8.6). Exploitability is straightforward: an attacker only needs to deliver a crafted ONNX model to a target that loads it — no authentication, no user interaction, network-reachable. Primary exposure is in organizations ingesting ONNX models from external registries, APIs, or community hubs without integrity validation. The lack of CISA KEV inclusion suggests no confirmed in-the-wild exploitation, but the low exploit barrier and wide ONNX adoption make this a high-priority patch with a short remediation window.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
onnx	pip	<= 1.20.1	`1.21.0`
20.8K OpenSSF 8.1 1.2K dependents Pushed 7d ago 90% patched ~29d to patch Full package profile →

Do you use onnx? You're affected.

Severity & Risk

CVSS 3.1

8.6 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 43% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I Low

A High

What should I do?

5 steps

Patch: Upgrade onnx to >=1.21.0 immediately — fix is available and referenced in commit e30c693.
Model provenance: Enforce cryptographic signing and hash verification for all ONNX model files before loading; reject models from unverified sources.
Sandboxing: Load untrusted models in isolated environments (containers, VMs) with restricted filesystem and network access and resource limits.
Allowlisting: Restrict model sources to internal registries or verified hashes only; block auto-downloads from public hubs in production pipelines.
Detection: Audit onnx version in all environments via dependency scanning (pip list | grep onnx); alert on version < 1.21.0 in production. Monitor for abnormal memory or CPU spikes during model loading as a behavioral indicator.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain DoS Code Execution Framework Model Inference AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.6 - AI system supply chain management A.9.3 - AI system inputs

NIST AI RMF

GOVERN-1.7 - Processes for AI risk management across the organization MANAGE-2.2 - Mechanisms to sustain value and respond to risks in deployed AI

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-34445?

Any ML pipeline loading ONNX models from untrusted sources is exposed to availability disruption and potential integrity compromise — no credentials or user interaction required, just deliver a crafted .onnx file. Upgrade to ONNX 1.21.0 immediately and enforce model provenance controls in all inference and training pipelines. ONNX is ubiquitous across the ML stack; assume broad exposure until patched.

Is CVE-2026-34445 actively exploited?

No confirmed active exploitation of CVE-2026-34445 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34445?

1. Patch: Upgrade onnx to >=1.21.0 immediately — fix is available and referenced in commit e30c693. 2. Model provenance: Enforce cryptographic signing and hash verification for all ONNX model files before loading; reject models from unverified sources. 3. Sandboxing: Load untrusted models in isolated environments (containers, VMs) with restricted filesystem and network access and resource limits. 4. Allowlisting: Restrict model sources to internal registries or verified hashes only; block auto-downloads from public hubs in production pipelines. 5. Detection: Audit onnx version in all environments via dependency scanning (pip list | grep onnx); alert on version < 1.21.0 in production. Monitor for abnormal memory or CPU spikes during model loading as a behavioral indicator.

What systems are affected by CVE-2026-34445?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps pipelines, model registry, inference pipelines, CI/CD model validation.

What is the CVSS score for CVE-2026-34445?

CVE-2026-34445 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.

Exploitation Scenario

An adversary uploads a maliciously crafted ONNX model to a public model hub (HuggingFace, ONNX Model Zoo mirror, or internal registry via a compromised contributor account). The model contains ExternalDataInfo entries with unexpected key names; when processed via Python's setattr(), these overwrite internal object properties — for example, corrupting length or offset fields to trigger uncontrolled memory allocation or resource exhaustion. An ML engineer pulls the model for inference benchmarking, or a CI/CD pipeline auto-downloads it for automated validation; loading the file triggers the vulnerability causing DoS or potential memory corruption exploitable for privilege escalation in the hosting environment. In a multi-tenant model serving platform, a single malicious upload could impact all tenants sharing the ONNX loading infrastructure.