Platform
python
Component
onnx
Fixed in
1.21.1
1.21.0
CVE-2026-34446 describes an arbitrary file access vulnerability discovered in ONNX Runtime versions up to 1.9.0. This flaw arises from insufficient validation of hardlinks during file loading, allowing attackers to bypass intended security measures. The vulnerability poses a significant risk, particularly within AI supply chain environments like HuggingFace, where a malicious model could silently exfiltrate secrets. A fix is available in version 1.21.0.
The core of the vulnerability lies in the onnx.load function's failure to properly validate hardlinks. While the code checks for symbolic links to prevent path traversal, it completely overlooks hardlinks. Hardlinks, appearing as regular files on the filesystem, bypass all security checks within onnx/checker.cc because the validator only calls is_symlink() and doesn't inspect inode or link count. This allows an attacker to craft a malicious ONNX model containing a hardlink to a sensitive file on the victim's system. Upon loading this model, the attacker gains unauthorized access to the targeted file without triggering any alerts or security protections. The impact is particularly severe in AI supply chains, where a single compromised model can silently steal secrets from the victim's machine.
CVE-2026-34446 was published on 2026-04-01. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available. The vulnerability's impact within AI supply chains warrants close monitoring, as it could be exploited to compromise machine learning models and steal sensitive data.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34446 is to upgrade to ONNX Runtime version 1.21.0 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict the sources of ONNX models loaded by your application to trusted providers only. Implement strict input validation on any user-provided data used in constructing ONNX models. Consider using a Web Application Firewall (WAF) or proxy to inspect incoming ONNX model files for suspicious patterns or hardlink structures. While a specific Sigma or YARA rule isn't readily available, monitoring for unusual file access patterns after loading ONNX models can provide early detection. After upgrading, confirm the fix by attempting to load a test ONNX model containing a hardlink to a known, non-sensitive file; it should be rejected.
Update the ONNX library to version 1.21.0 or higher. This fixes the arbitrary file read vulnerability through hardlink omission in ExternalData when loading ONNX models.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34446 is a vulnerability in ONNX Runtime versions up to 1.9.0 that allows attackers to access files through hardlink manipulation, bypassing security checks.
You are affected if you are using ONNX Runtime versions 1.9.0 or earlier. Upgrade to 1.21.0 or later to resolve the issue.
Upgrade to ONNX Runtime version 1.21.0 or later. As a temporary workaround, restrict model sources and implement strict input validation.
There is currently no evidence of active exploitation, but the vulnerability's potential impact warrants monitoring.
Refer to the official ONNX Runtime release notes and security advisories on the Microsoft GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.