What is the CVSS score of CVE-2026-1462?

CVE-2026-1462 has a CVSS 3.0 base score of 8.8 (High). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Red Hat are affected by CVE-2026-1462?

Keras 3.13.0 contains a critical remote code execution vulnerability in model file deserialization that allows unauthenticated attackers to execute arbitrary code when users load malicious .keras…. A patch is available.

How to fix or mitigate CVE-2026-1462?

Within 24 hours: Inventory all systems running Keras 3.13.0 and identify users who load external .keras model files. Within 7 days: Implement policy restricting model loading to trusted internal sources only and disable automatic model downloads if enabled. Within 30 days: Upgrade to Keras 3.14.0 or later once vendor releases patched version, or migrate to alternative deep learning frameworks if timeline exceeds risk tolerance.

Red Hat CVE-2026-1462

EUVD-2026-21970 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-04-13 @huntr_ai

GHSA-4f3f-g24h-fr8m

RCE Deserialization Red Hat

8.8

CVSS 3.0 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Red Hat

7.8 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 15:37 vuln.today

cvss_changed

Patch released

Apr 15, 2026 - 02:30 nvd

Patch available

Analysis Generated

Apr 13, 2026 - 15:39 vuln.today

EUVD ID Assigned

Apr 13, 2026 - 15:15 euvd

EUVD-2026-21970

Analysis Generated

Apr 13, 2026 - 15:15 vuln.today

CVE Published

Apr 13, 2026 - 14:55 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

7 pypi packages depend on keras (5 direct, 2 indirect)

Ecosystem-wide dependent count for version 3.13.2.

DescriptionCVE.org

A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safe_mode=True. This bypasses the security guarantees of safe_mode and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the from_config() method.

AnalysisAI

Remote code execution in Keras 3.13.0 allows unauthenticated attackers to execute arbitrary code by crafting malicious .keras model files that load attacker-controlled TensorFlow SavedModels during deserialization, bypassing safe_mode protections. Exploitation requires user interaction (victim must load the malicious model), but no authentication is required to deliver the payload. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker crafts malicious .keras model

Delivery

Victim downloads model from repository

Exploit

Victim calls load_model(safe_mode=True)

Execution

TFSMLayer.from_config() loads attacker SavedModel

Persist

Malicious code executes with victim privileges

Impact

Data exfiltration or system compromise

Access

Attacker crafts malicious .keras model

Delivery

Victim downloads model from repository

Exploit

Victim calls load_model(safe_mode=True)

Execution

TFSMLayer.from_config() loads attacker SavedModel

Persist

Malicious code executes with victim privileges

Impact

Data exfiltration or system compromise

Vulnerability AssessmentAI

Exploitation	Victim must load a crafted `.keras` model file in Keras 3.13.0 using `safe_mode=True`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is HIGH despite requiring user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker publishes a seemingly legitimate pre-trained Keras model for image classification on a public repository like Hugging Face or GitHub, advertising high accuracy on a popular benchmark dataset. A data scientist downloads the .keras file and loads it in their Jupyter notebook using keras.models.load_model() with safe_mode=True, believing the safety flag provides protection. …
Remediation	Upstream fix available via GitHub commit b6773d3decaef1b05d8e794458e148cb362f163f; released patched version not independently confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Keras 3.13.0 and identify users who load external .keras model files. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

CVE-2026-1462 vulnerability details – vuln.today

Back

Red Hat CVE-2026-1462

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

Share

External POC / Exploit Code