Skip to main content

ONNX CVE-2026-28500

CRITICAL
Insufficient Verification of Data Authenticity (CWE-345)
2026-03-16 https://github.com/onnx/onnx GHSA-hqmj-h5c6-369m
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

AC:H because exploitation needs the non-default silent=True plus an attacker-controlled repo reference; PR:N/UI:N as no victim auth or prompt occurs once silent is set; C:H/I:H for credential exfiltration and malicious model integrity, A:N per described impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Red Hat
8.6 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

11
Analysis Updated
Jun 30, 2026 - 03:59 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 03:56 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 03:55 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 03:54 vuln.today
Analysis Updated
Jun 30, 2026 - 03:54 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
HIGH CRITICAL
CVSS changed
Jun 30, 2026 - 03:24 NVD
8.6 (HIGH) 9.1 (CRITICAL)
Patch released
Apr 07, 2026 - 02:30 nvd
Patch available
Analysis Generated
Mar 16, 2026 - 17:20 vuln.today
CVE Published
Mar 16, 2026 - 16:23 nvd
HIGH 8.6

DescriptionNVD

Summary

A security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts.

The Technical Flaw

The vulnerability is located in onnx/hub.py. The security gate uses a short-circuit evaluation that prioritizes the "silent" preference over the trust requirement:

Python
if not _verify_repo_ref(repo) and not silent:
# This block (Warning + User Input) is SKIPPED if silent=True
    print("The model repo... is not trusted")
    if input().lower() != "y":
        return None

Key Points of Failure: Complete Suppression: If a developer or a third-party library sets silent=True, the application will download and execute models from any attacker-controlled GitHub repository without notifying the user. Integrity Verification Bypass: The SHA256 integrity check validates the model against a manifest file. Since the attacker controls the repository, they also control the manifest, allowing them to provide a "valid" hash for a malicious model.

Impact

This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities , an attacker can silently exfiltrate sensitive files ( SSH keys, cloud credentials) from the victim's machine the moment the model is loaded.

AnalysisAI

Silent supply-chain compromise in the ONNX Python package (pip/onnx <= 1.20.1) arises because passing silent=True to onnx.hub.load() suppresses every untrusted-repository warning and confirmation prompt, letting models download and execute from any attacker-controlled GitHub repo with zero user awareness. Because the SHA256 manifest lives in the same attacker-owned repo, the integrity check is self-defeating and always validates the malicious model. There is no public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue is fixed in 1.21.0rc1 and carries a vendor CVSS of 9.1.

Technical ContextAI

ONNX (Open Neural Network Exchange) is a widely used open standard and Python library for representing and exchanging machine-learning models; onnx.hub.load() is a convenience helper that fetches pretrained models from remote GitHub repositories using a manifest. The flaw lives in onnx/hub.py, where the trust gate is written as if not _verify_repo_ref(repo) and not silent: - a short-circuit that prioritizes the caller's silent preference over the trust requirement, so the warning and the interactive input() confirmation are skipped entirely when silent=True. This maps to CWE-345 (Insufficient Verification of Data Authenticity): the SHA256 integrity check only compares the model against a manifest stored in the same repository, so an attacker controlling the repo controls both the model and its 'valid' hash, defeating authenticity verification. Affected package per CPE is pkg:pip/onnx.

RemediationAI

Vendor-released patch: upgrade onnx to 1.21.0rc1 or later, where the maintainers resolved the issue by removing the trust-suppression feature entirely (per GHSA-hqmj-h5c6-369m). On Red Hat systems, apply RHSA-2026:24977. Until you can upgrade, the most effective compensating control is to audit your codebase and any third-party libraries for calls to onnx.hub.load() and remove the silent=True argument so the trust warning and confirmation prompt are restored - the trade-off is that automated/non-interactive pipelines will block on the input() prompt and must be reworked to pin trusted repos. Additionally, only load models from the official onnx model zoo or repos you control (pass explicit, verified repo references rather than user/third-party-supplied strings), and run model-loading workloads in a sandboxed, least-privilege environment with no access to SSH keys or cloud credentials to blunt the exfiltration chain described in the advisory. Advisory URLs: https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m and the write-up at https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-28500.md.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-28500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy