Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Local file load required (AV:L); no attacker privileges needed (PR:N); victim must open file (UI:R); only confidentiality impacted via filesystem read.
Primary rating from Vendor (huntr).
CVSS VectorVendor: huntr
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the H5IOStore._verify_dataset() and file_editor.py methods, which fail to check the dataset.is_virtual property of HDF5 datasets. This allows an attacker to craft a malicious .keras model archive or .h5 weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads the model using keras.models.load_model() or keras.saving.load_model(), the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1.
AnalysisAI
Arbitrary HDF5 file read in Keras up to 3.13.2 enables information disclosure when a victim loads a crafted model file, representing an incomplete patch for the prior CVE-2026-1669. The flaw lies in two specific code paths - H5IOStore._verify_dataset() and file_editor.py - which omit the dataset.is_virtual check, allowing a malicious HDF5 Virtual Dataset (VDS) to silently redirect reads to attacker-specified paths on the local filesystem. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must actively load a malicious `.keras` model archive or `.h5` weights file using `keras.models.load_model()` or `keras.saving.load_model()` - exploitation does not occur on model download alone, only on load. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N scores 5.5, which accurately reflects the local, user-interaction-required nature of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a malicious pre-trained model to a public model hub or sends it directly to a target data scientist. The `.keras` archive contains a weights file with an HDF5 Virtual Dataset whose source path points to a sensitive file on common Linux paths (e.g., `~/.ssh/id_rsa` or `/run/secrets/api_key`). … |
| Remediation | Upgrade to Keras 3.12.2 or 3.14.1, both of which contain the corrected `is_virtual` check. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41090
GHSA-26c4-7vv6-867j