ONNX CVE-2026-28500
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AC:H because exploitation needs the non-default silent=True plus an attacker-controlled repo reference; PR:N/UI:N as no victim auth or prompt occurs once silent is set; C:H/I:H for credential exfiltration and malicious model integrity, A:N per described impact.
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
11DescriptionNVD
Summary
A security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts.
The Technical Flaw
The vulnerability is located in onnx/hub.py. The security gate uses a short-circuit evaluation that prioritizes the "silent" preference over the trust requirement:
if not _verify_repo_ref(repo) and not silent:
# This block (Warning + User Input) is SKIPPED if silent=True
print("The model repo... is not trusted")
if input().lower() != "y":
return NoneKey Points of Failure: Complete Suppression: If a developer or a third-party library sets silent=True, the application will download and execute models from any attacker-controlled GitHub repository without notifying the user. Integrity Verification Bypass: The SHA256 integrity check validates the model against a manifest file. Since the attacker controls the repository, they also control the manifest, allowing them to provide a "valid" hash for a malicious model.
Impact
This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities , an attacker can silently exfiltrate sensitive files ( SSH keys, cloud credentials) from the victim's machine the moment the model is loaded.
AnalysisAI
Silent supply-chain compromise in the ONNX Python package (pip/onnx <= 1.20.1) arises because passing silent=True to onnx.hub.load() suppresses every untrusted-repository warning and confirmation prompt, letting models download and execute from any attacker-controlled GitHub repo with zero user awareness. Because the SHA256 manifest lives in the same attacker-owned repo, the integrity check is self-defeating and always validates the malicious model. There is no public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue is fixed in 1.21.0rc1 and carries a vendor CVSS of 9.1.
Technical ContextAI
ONNX (Open Neural Network Exchange) is a widely used open standard and Python library for representing and exchanging machine-learning models; onnx.hub.load() is a convenience helper that fetches pretrained models from remote GitHub repositories using a manifest. The flaw lives in onnx/hub.py, where the trust gate is written as if not _verify_repo_ref(repo) and not silent: - a short-circuit that prioritizes the caller's silent preference over the trust requirement, so the warning and the interactive input() confirmation are skipped entirely when silent=True. This maps to CWE-345 (Insufficient Verification of Data Authenticity): the SHA256 integrity check only compares the model against a manifest stored in the same repository, so an attacker controlling the repo controls both the model and its 'valid' hash, defeating authenticity verification. Affected package per CPE is pkg:pip/onnx.
RemediationAI
Vendor-released patch: upgrade onnx to 1.21.0rc1 or later, where the maintainers resolved the issue by removing the trust-suppression feature entirely (per GHSA-hqmj-h5c6-369m). On Red Hat systems, apply RHSA-2026:24977. Until you can upgrade, the most effective compensating control is to audit your codebase and any third-party libraries for calls to onnx.hub.load() and remove the silent=True argument so the trust warning and confirmation prompt are restored - the trade-off is that automated/non-interactive pipelines will block on the input() prompt and must be reworked to pin trusted repos. Additionally, only load models from the official onnx model zoo or repos you control (pass explicit, verified repo references rather than user/third-party-supplied strings), and run model-loading workloads in a sandboxed, least-privilege environment with no access to SSH keys or cloud credentials to blunt the exfiltration chain described in the advisory. Advisory URLs: https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m and the write-up at https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-28500.md.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hqmj-h5c6-369m