Platform
python
Component
onnx
Fixed in
1.20.2
1.20.2
1.21.0
CVE-2026-28500 is a trust bypass vulnerability found in ONNX Runtime versions up to 1.9.0. The vulnerability arises from the silent=True parameter in the onnx.hub.load() function, which suppresses critical trust warnings and user prompts during model loading. This allows attackers to silently download and execute potentially malicious models from untrusted GitHub repositories, effectively bypassing security checks and introducing significant risk.
The core impact of CVE-2026-28500 lies in the ability to execute arbitrary code within the context of the ONNX Runtime environment. An attacker can craft a malicious ONNX model hosted on a compromised or attacker-controlled GitHub repository. By setting silent=True, the user is unaware of the potential risks associated with downloading from an unverified source. The SHA256 integrity check, intended to validate the model's authenticity, is rendered ineffective because the manifest file used for verification resides within the same attacker-controlled repository, ensuring a consistent hash value. This allows the attacker to inject malicious code directly into the model, which will then be executed when the model is loaded and run, potentially leading to data breaches, system compromise, or denial of service.
CVE-2026-28500 was published on 2026-03-16. Its severity is rated as HIGH (CVSS 8.6). There is currently no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term, but this could change as awareness increases.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
The primary mitigation for CVE-2026-28500 is to upgrade ONNX Runtime to version 1.21.0 or later, which addresses the trust bypass vulnerability. If upgrading is not immediately feasible, consider implementing a temporary workaround by strictly controlling the sources from which ONNX models are downloaded. Implement a policy requiring all model repositories to be verified and trusted before deployment. Additionally, consider using a Web Application Firewall (WAF) or proxy to inspect and filter incoming model files, looking for suspicious patterns or known malicious signatures. While a direct detection signature (Sigma/YARA) is difficult to create due to the nature of the vulnerability, monitoring for unusual ONNX Runtime behavior and unexpected model execution patterns can provide early warning signs. After upgrading, confirm the fix by attempting to load a model from an untrusted repository with silent=True and verifying that the trust warning is displayed.
Actualice la biblioteca ONNX a una versión parcheada una vez que esté disponible. Evite usar el parámetro `silent=True` en la función `onnx.hub.load()` para asegurarse de que las advertencias de seguridad se muestren correctamente.
Vulnerability analysis and critical alerts directly to your inbox.
It's a trust bypass vulnerability in ONNX Runtime versions up to 1.9.0, allowing models to be loaded from unverified sources without warnings.
If you are using ONNX Runtime versions 1.9.0 or earlier, you are potentially affected by this vulnerability.
Upgrade ONNX Runtime to version 1.21.0 or later to resolve the vulnerability. If immediate upgrade isn't possible, restrict model sources.
There's currently no evidence of active exploitation, but public POCs are likely to appear.
Refer to the official ONNX Runtime security advisories and the NVD entry for CVE-2026-28500 for more details.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.