Skip to main content

Python EUVDEUVD-2026-17985

| CVE-2026-34445 HIGH
Improper Input Validation (CWE-20)
2026-04-01 GitHub_M GHSA-538c-55jv-c5g9
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
SUSE
HIGH
qualitative
Red Hat
7.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 18:15 euvd
EUVD-2026-17985
Analysis Generated
Apr 01, 2026 - 18:15 vuln.today
CVE Published
Apr 01, 2026 - 17:30 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 17 pypi packages depend on onnx (9 direct, 8 indirect)

Ecosystem-wide dependent count for version 1.21.0.

DescriptionGitHub Advisory

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.

AnalysisAI

Arbitrary attribute injection in ONNX Python library (versions prior to 1.21.0) allows unauthenticated remote attackers to manipulate internal object properties by embedding malicious metadata in ONNX model files, resulting in potential information disclosure, data integrity violations, and high availability impact (CVSS 8.6). The vulnerability stems from unchecked use of Python's setattr() with externally-controlled keys during ExternalDataInfo deserialization. No public exploit code or CISA KEV listing identified at time of analysis, but proof-of-concept development is trivial given the straightforward nature of Python attribute manipulation. EPSS data not provided, but the unauthenticated network-accessible attack vector and low complexity suggest material risk for organizations processing untrusted ONNX models.

Technical ContextAI

ONNX is a widely-adopted open standard for representing machine learning models, enabling interoperability across frameworks like PyTorch, TensorFlow, and scikit-learn. The vulnerability resides in the ExternalDataInfo class, which handles metadata for externally stored tensor data (file paths, offsets, data lengths). The implementation used Python's setattr(object, key, value) to dynamically assign attributes based on key-value pairs parsed directly from the ONNX protobuf model file without validating whether these keys correspond to legitimate metadata fields. This represents a classic CWE-20 (Improper Input Validation) flaw where untrusted data controls object state. An attacker crafting a malicious .onnx file can inject arbitrary attribute names, potentially overwriting critical internal properties like __class__, __dict__, or application-specific control flow variables. The affected CPE (cpe:2.3:a:onnx:onnx) covers the Python onnx package prior to version 1.21.0, used in ML pipelines for model conversion, validation, and inference deployment.

RemediationAI

Organizations must upgrade the ONNX Python package to version 1.21.0 or later, which implements input validation for ExternalDataInfo attribute keys per the patch commit e30c6935d67cc3eca2fa284e37248e7c0036c46b available at https://github.com/onnx/onnx/commit/e30c6935d67cc3eca2fa284e37248e7c0036c46b. The fix is delivered through pull request 7751 (https://github.com/onnx/onnx/pull/7751) and restricts setattr() usage to a whitelist of legitimate metadata fields. For environments unable to immediately upgrade, implement strict input validation by scanning ONNX model files for unexpected metadata keys before deserialization, restrict model sources to trusted repositories with integrity verification, and deploy sandboxed execution environments with resource limits to contain potential availability impacts. Review the GitHub Security Advisory at https://github.com/onnx/onnx/security/advisories/GHSA-538c-55jv-c5g9 for additional vendor guidance on detection and migration strategies.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-17985 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy