Any ML pipeline loading ONNX models from untrusted sources is exposed to availability disruption and potential integrity compromise — no credentials or user interaction required, just deliver a crafted .onnx file. Upgrade to ONNX 1.21.0 immediately and enforce model provenance controls in all inference and training pipelines. ONNX is ubiquitous across the ML stack; assume broad exposure until patched.
What is the risk?
High risk (CVSS 8.6). Exploitability is straightforward: an attacker only needs to deliver a crafted ONNX model to a target that loads it — no authentication, no user interaction, network-reachable. Primary exposure is in organizations ingesting ONNX models from external registries, APIs, or community hubs without integrity validation. The lack of CISA KEV inclusion suggests no confirmed in-the-wild exploitation, but the low exploit barrier and wide ONNX adoption make this a high-priority patch with a short remediation window.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| ONNX | pip | <= 1.20.1 | 1.21.0 |
Do you use ONNX? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: Upgrade onnx to >=1.21.0 immediately — fix is available and referenced in commit e30c693.
-
Model provenance: Enforce cryptographic signing and hash verification for all ONNX model files before loading; reject models from unverified sources.
-
Sandboxing: Load untrusted models in isolated environments (containers, VMs) with restricted filesystem and network access and resource limits.
-
Allowlisting: Restrict model sources to internal registries or verified hashes only; block auto-downloads from public hubs in production pipelines.
-
Detection: Audit onnx version in all environments via dependency scanning (pip list | grep onnx); alert on version < 1.21.0 in production. Monitor for abnormal memory or CPU spikes during model loading as a behavioral indicator.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-34445?
Any ML pipeline loading ONNX models from untrusted sources is exposed to availability disruption and potential integrity compromise — no credentials or user interaction required, just deliver a crafted .onnx file. Upgrade to ONNX 1.21.0 immediately and enforce model provenance controls in all inference and training pipelines. ONNX is ubiquitous across the ML stack; assume broad exposure until patched.
Is CVE-2026-34445 actively exploited?
No confirmed active exploitation of CVE-2026-34445 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-34445?
1. Patch: Upgrade onnx to >=1.21.0 immediately — fix is available and referenced in commit e30c693. 2. Model provenance: Enforce cryptographic signing and hash verification for all ONNX model files before loading; reject models from unverified sources. 3. Sandboxing: Load untrusted models in isolated environments (containers, VMs) with restricted filesystem and network access and resource limits. 4. Allowlisting: Restrict model sources to internal registries or verified hashes only; block auto-downloads from public hubs in production pipelines. 5. Detection: Audit onnx version in all environments via dependency scanning (pip list | grep onnx); alert on version < 1.21.0 in production. Monitor for abnormal memory or CPU spikes during model loading as a behavioral indicator.
What systems are affected by CVE-2026-34445?
This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, MLOps pipelines, model registry, inference pipelines, CI/CD model validation.
What is the CVSS score for CVE-2026-34445?
CVE-2026-34445 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.29%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0010.003 Model AML.T0011.000 Unsafe AI Artifacts AML.T0018.002 Embed Malware AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
Exploitation Scenario
An adversary uploads a maliciously crafted ONNX model to a public model hub (HuggingFace, ONNX Model Zoo mirror, or internal registry via a compromised contributor account). The model contains ExternalDataInfo entries with unexpected key names; when processed via Python's setattr(), these overwrite internal object properties — for example, corrupting length or offset fields to trigger uncontrolled memory allocation or resource exhaustion. An ML engineer pulls the model for inference benchmarking, or a CI/CD pipeline auto-downloads it for automated validation; loading the file triggers the vulnerability causing DoS or potential memory corruption exploitable for privilege escalation in the hosting environment. In a multi-tenant model serving platform, a single malicious upload could impact all tenants sharing the ONNX loading infrastructure.
Weaknesses (CWE)
CWE-20 Improper Input Validation
Primary
CWE-20 Improper Input Validation
Primary
CWE-400 Uncontrolled Resource Consumption
Primary
CWE-400 Uncontrolled Resource Consumption
Primary
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Primary
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Primary
CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
- [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H References
Timeline
Related Vulnerabilities
CVE-2026-28500 9.1 onnx: Integrity Verification bypass enables tampering
Same package: onnx CVE-2024-5187 8.8 ONNX: path traversal in model download enables RCE
Same package: onnx CVE-2026-27489 8.6 ONNX: symlink path traversal allows arbitrary file read
Same package: onnx CVE-2024-7776 8.1 ONNX: path traversal in download_model enables RCE
Same package: onnx GHSA-q56x-g2fj-4rj6 7.1 onnx: TOCTOU symlink following enables arbitrary file write
Same package: onnx