Skip to main content

Keras CVE-2026-12479

| EUVDEUVD-2026-38265 MEDIUM
Path Traversal (CWE-22)
2026-06-22 @huntr_ai GHSA-gh82-f9x8-5frx
6.1
CVSS 3.0 · Vendor: huntr_ai
Share

Severity by source

Vendor (huntr_ai) PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

AV:L because the path traversal triggers during local model load/save; UI:R because victim must actively open the crafted model; S:C reflects file writes escaping the intended Keras temporary directory boundary.

3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:L/SA:N
Red Hat
6.1 MEDIUM
qualitative

Primary rating from Vendor (huntr_ai).

CVSS VectorVendor: huntr_ai

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 22, 2026 - 16:09 vuln.today
CVE Published
Jun 22, 2026 - 15:21 cve.org
MEDIUM 6.1

DescriptionCVE.org

A path traversal vulnerability exists in keras-team/keras version 3.14.0, specifically in the DiskIOStore.make method within the Keras 3 model saving and loading library. This vulnerability arises from the improper handling of user-provided layer names, which are used to construct directory paths without sanitizing for parent directory components (..). While forward slashes (/) are restricted in layer names, directory traversal sequences are not. This allows an attacker to craft a malicious Keras model that, when saved or loaded, can escape the intended temporary working directory and perform unauthorized file system operations, such as creating directories or writing files in arbitrary locations.

AnalysisAI

Path traversal in Keras 3.14.0 exposes local file systems to arbitrary file and directory creation when processing maliciously crafted model files. The DiskIOStore.make method constructs directory paths from user-supplied layer names without sanitizing directory traversal sequences (..); since only forward slashes are blocked, embedding .. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft Keras model with traversal layer names
Delivery
Distribute poisoned model via repository or direct delivery
Exploit
Victim loads or saves model in Keras 3.14.0
Execution
DiskIOStore.make constructs path from layer name without sanitization
Persist
Path traversal escapes temporary working directory
Impact
Arbitrary file or directory created on victim file system

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim explicitly invoke a Keras model save or load operation - specifically any code path that exercises DiskIOStore.make - against a model file containing layer names with directory traversal sequences (.. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:C) reflects a local attack vector with user interaction required and a changed scope - the scope change is the key elevating factor, as writes can escape the Keras temporary directory and affect the broader file system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a research model to a public repository (e.g., Hugging Face Hub or a GitHub release) where layer names contain traversal sequences such as ../../.config/autostart/backdoor or similar paths meaningful to the target OS. A data scientist or ML engineer downloads and loads the model using Keras 3.14.0 as part of routine experimentation; during the load operation, DiskIOStore.make constructs a path using the malicious layer name and writes a file outside the intended temporary directory to the attacker-controlled path. …
Remediation No vendor-released patch or confirmed fixed version is identified in the available data - patch availability is unknown at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-12479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy