What is ONNX and why is it important?

ONNX (Open Neural Network Exchange) is a standard format for representing machine learning models, enabling interoperability between different frameworks. Its widespread use makes vulnerabilities in ONNX particularly impactful.

How can I determine if my application is affected by these vulnerabilities?

Check your ONNX version. If you are using a version less than 1.21.0, you are potentially vulnerable. Use 'pip show onnx' to check your installed version.

What is a silent supply chain attack?

A silent supply chain attack involves injecting malicious code or components into a software supply chain without the user's knowledge. In this case, a malicious ONNX model can be silently loaded, potentially leading to arbitrary code execution.

Are there any workarounds if I cannot immediately update ONNX?

As a temporary workaround, avoid using `silent=True` with `onnx.hub.load()`, carefully validate model sources, and restrict access to sensitive files.

Critical ONNX Vulnerabilities: Silent Supply Chain, Path Traversal, and DoS

Multiple critical vulnerabilities have been identified in ONNX, a framework for representing machine learning models. These vulnerabilities can lead to silent supply chain attacks, arbitrary file reads, and denial-of-service conditions, impacting Python applications that utilize ONNX models. Patches are available and should be applied immediately.

The CVSS scores range from 4.7 to 8.6, indicating significant vulnerabilities that could lead to serious consequences if exploited.

What is Onnx?

ONNX (Open Neural Network Exchange) is an open format built to represent machine learning models. It allows models to be transferred between different frameworks (like PyTorch, TensorFlow, and scikit-learn) and deployed across various platforms. ONNX simplifies the machine learning workflow by enabling interoperability and portability. See all onnx CVEs.

Silent Supply Chain Attack via `onnx.hub.load()`

CVSS8.6

Affected versionsApplications using ONNX versions less than or equal to 1.20.1 and utilizing `onnx.hub.load()` with `silent=True` are vulnerable.

High severity due to potential for arbitrary code execution and silent compromise.

A low (0.01%) probability of exploitation, but the impact is severe.

Passing `silent=True` to `onnx.hub.load()` suppresses all trust warnings and user prompts when loading models from external repositories. This allows attackers to silently inject malicious models into pipelines without user awareness, potentially leading to arbitrary code execution.

How to fix CVE-2026-28500 in Onnx

Patch immediately

1.Update ONNX to the latest version (1.21.0 or higher).

Update ONNX

pip install --upgrade onnx

Verify with:

verify

pip show onnx

Workaround: Avoid using `silent=True` with `onnx.hub.load()` to ensure user awareness and validation of model sources.

NextGuard automatically flags CVE-2026-28500 if [Onnx] appears in any of your monitored projects — no manual lookup required.

Path Traversal Vulnerability via Symlink

CVSS7.5

Affected versionsONNX versions less than or equal to 1.9.0 are vulnerable.

High severity due to potential for arbitrary file read.

A moderate (0.063%) probability of exploitation.

A path traversal vulnerability exists due to insufficient symlink validation. Attackers can leverage symlinks to read arbitrary files outside the model or user-provided directory, potentially exposing sensitive data.

How to fix CVE-2026-27489 in Onnx

Patch within 24h

1.Update ONNX to version 1.21.0 or higher.

Update ONNX

pip install --upgrade onnx

Verify with:

verify

pip show onnx

Workaround: Carefully validate model sources and restrict access to sensitive files.

NextGuard automatically flags CVE-2026-27489 if [Onnx] appears in any of your monitored projects — no manual lookup required.

Denial-of-Service via Object Settings Manipulation

CVSS8.6

Affected versionsONNX versions less than or equal to 1.9.0 are vulnerable.

High severity due to potential for denial-of-service.

A low (0.04%) probability of exploitation.

Malicious ONNX models can crash servers by exploiting unprotected object settings within the ExternalDataInfo class. Attackers can manipulate properties like 'length' to trigger out-of-memory errors or inject 'dunder' attributes to corrupt objects.

How to fix CVE-2026-34445 in Onnx

Patch immediately

1.Update ONNX to version 1.21.0 or higher.

Update ONNX

pip install --upgrade onnx

Verify with:

verify

pip show onnx

Workaround: Implement strict input validation and sanitization for ONNX models.

NextGuard automatically flags CVE-2026-34445 if [Onnx] appears in any of your monitored projects — no manual lookup required.

Arbitrary File Read via External Data Hardlink Bypass

CVSS4.7

Affected versionsONNX versions less than or equal to 1.9.0 are vulnerable.

Medium severity due to potential for arbitrary file read.

A low (0.012%) probability of exploitation.

ONNX is vulnerable to arbitrary file reads due to a hardlink bypass in the external data loading mechanism. Attackers can create hardlinks to sensitive files and exploit this to read arbitrary files on the system.

How to fix CVE-2026-34446 in Onnx

Patch within 7 days

1.Update ONNX to version 1.21.0 or higher.

Update ONNX

pip install --upgrade onnx

Verify with:

verify

pip show onnx

Workaround: Restrict access to external data directories and validate file paths.

NextGuard automatically flags CVE-2026-34446 if [Onnx] appears in any of your monitored projects — no manual lookup required.

External Data Symlink Traversal

CVSS5.5

Affected versionsONNX versions less than or equal to 1.9.0 are vulnerable.

Medium severity due to potential for arbitrary file read.

A low (0.012%) probability of exploitation.

The external data loading process fails to properly handle symlinks, allowing attackers to read files outside the intended model directory. This vulnerability stems from a lack of robust symlink checks during file validation.

How to fix CVE-2026-34447 in Onnx

Patch within 7 days

1.Update ONNX to version 1.21.0 or higher.

Update ONNX

pip install --upgrade onnx

Verify with:

verify

pip show onnx

Workaround: Implement stricter file path validation and symlink checks during external data loading.

NextGuard automatically flags CVE-2026-34447 if [Onnx] appears in any of your monitored projects — no manual lookup required.

Stay ahead of Python vulnerabilities

Proactively identify and address security risks in your Python projects with automated dependency scanning. Monitor your python dependencies to ensure you're always protected against the latest threats.

Compare your dependencies

Frequently asked questions

These ONNX vulnerabilities highlight the importance of maintaining up-to-date dependencies and implementing robust security practices in your machine learning pipelines. Ensure your environment is secure by patching immediately. See all python vulnerabilities.