Skip to main content

Keras CVE-2026-12481

| EUVDEUVD-2026-41600 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-07-03 @huntr_ai GHSA-5gwj-m78q-7pq3
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (huntr_ai) PRIMARY
HIGH
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Malicious model is delivered over the network and loaded without auth or interaction (AV:N/PR:N/UI:N), low-complexity deserialization yields full OS code execution (C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (huntr_ai).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jul 08, 2026 - 15:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 15:07 vuln.today
cvss_changed
Severity Changed
Jul 08, 2026 - 15:07 NVD
HIGH CRITICAL
CVSS changed
Jul 08, 2026 - 15:07 NVD
8.8 (HIGH) 9.8 (CRITICAL)
Analysis Generated
Jul 03, 2026 - 21:51 vuln.today

DescriptionNVD

A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deserialization in the Lambda layer. Specifically, the _raise_for_lambda_deserialization() function fails to enforce the safe-mode guard when safe_mode is set to None, which is the default value when from_config() is called outside of a SafeModeScope context. This logic error conflates None (unset/default-deny) with False (explicitly disabled), bypassing the guard and allowing attacker-controlled marshal bytecode to be deserialized. Affected call sites include keras.layers.deserialize(config), keras.models.clone_model(model), and any direct invocation of Lambda.from_config(config) without an enclosing SafeModeScope(True). This vulnerability can be exploited to achieve arbitrary OS-level code execution in the context of the server or user process.

AnalysisAI

Arbitrary code execution in keras-team/keras 3.14.0 lets remote attackers run OS-level commands by supplying a malicious serialized Lambda layer that is deserialized without an active SafeModeScope. The root cause is _raise_for_lambda_deserialization() treating a None safe_mode (the default when from_config() runs outside a SafeModeScope) as if it were an explicit False, so the safe-mode guard is skipped and attacker-controlled marshal bytecode executes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious Lambda config with marshal bytecode
Delivery
Deliver model file to victim load path
Exploit
deserialize() called outside SafeModeScope
Execution
Guard bypassed on safe_mode=None
Persist
marshal bytecode executed
Impact
Arbitrary OS code as server process

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to deserialize an attacker-controlled Keras artifact through `keras.layers.deserialize(config)`, `keras.models.clone_model(model)`, or `Lambda.from_config(config)` while NOT inside an enclosing `SafeModeScope(True)` context - the default `safe_mode=None` is precisely the vulnerable state. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H), indicating a network-reachable, low-complexity, unauthenticated path to total compromise, consistent with the SSVC 'total' technical impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious Keras model or layer config containing a `Lambda` layer whose function is `marshal`-encoded bytecode, then delivers it to a victim service that loads user-supplied models (e.g., a model-hosting or AutoML pipeline). When the service calls `keras.layers.deserialize()` or `clone_model()` outside a `SafeModeScope`, the guard is bypassed and the attacker's bytecode runs as the server process. …
Remediation No vendor-released patched version is identified in the supplied data, so the fix version cannot be cited (EUVD lists only 'unspecified ≤latest' and no tagged release is provided); monitor the Huntr report (https://huntr.com/bounties/59ceaed1-c8a3-4135-8f94-169ade02823d) and NVD (https://nvd.nist.gov/vuln/detail/CVE-2026-12481) for the patched release and upgrade as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Conduct rapid inventory of systems running keras-team/keras 3.14.0 and assess network exposure; immediately restrict external access to model loading endpoints and isolate affected services from sensitive networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-12481 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy