Skip to main content

Keras CVE-2026-12480

| EUVDEUVD-2026-41090 MEDIUM
External Control of File Name or Path (CWE-73)
2026-07-01 security@huntr.dev GHSA-26c4-7vv6-867j
5.5
CVSS 3.0 · Vendor: huntr
Share

Severity by source

Vendor (huntr) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.5 MEDIUM

Local file load required (AV:L); no attacker privileges needed (PR:N); victim must open file (UI:R); only confidentiality impacted via filesystem read.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (huntr).

CVSS VectorVendor: huntr

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jul 01, 2026 - 18:02 EUVD
Analysis Generated
Jul 01, 2026 - 17:41 vuln.today
CVE Published
Jul 01, 2026 - 17:16 cve.org
MEDIUM 5.5

DescriptionCVE.org

Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the H5IOStore._verify_dataset() and file_editor.py methods, which fail to check the dataset.is_virtual property of HDF5 datasets. This allows an attacker to craft a malicious .keras model archive or .h5 weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads the model using keras.models.load_model() or keras.saving.load_model(), the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1.

AnalysisAI

Arbitrary HDF5 file read in Keras up to 3.13.2 enables information disclosure when a victim loads a crafted model file, representing an incomplete patch for the prior CVE-2026-1669. The flaw lies in two specific code paths - H5IOStore._verify_dataset() and file_editor.py - which omit the dataset.is_virtual check, allowing a malicious HDF5 Virtual Dataset (VDS) to silently redirect reads to attacker-specified paths on the local filesystem. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious .keras archive with VDS path
Delivery
Deliver file via model hub or phishing
Exploit
Victim calls keras.models.load_model()
Execution
HDF5 VDS resolves external file path
Persist
Sensitive local file read into dataset buffer
Impact
Attacker retrieves exfiltrated data

Vulnerability AssessmentAI

Exploitation The victim must actively load a malicious `.keras` model archive or `.h5` weights file using `keras.models.load_model()` or `keras.saving.load_model()` - exploitation does not occur on model download alone, only on load. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N scores 5.5, which accurately reflects the local, user-interaction-required nature of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a malicious pre-trained model to a public model hub or sends it directly to a target data scientist. The `.keras` archive contains a weights file with an HDF5 Virtual Dataset whose source path points to a sensitive file on common Linux paths (e.g., `~/.ssh/id_rsa` or `/run/secrets/api_key`). …
Remediation Upgrade to Keras 3.12.2 or 3.14.1, both of which contain the corrected `is_virtual` check. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-12480 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy