Platform
python
Component
onnx
Fixed in
1.21.1
1.21.0
A symlink traversal vulnerability has been identified in Open Neural Network Exchange (ONNX) versions up to 1.9.0. This flaw, present in the external data loading functionality, allows an attacker to read files outside the intended model directory. The vulnerability is patched in version 1.21.0 and users are strongly advised to upgrade to mitigate the risk of unauthorized data access.
The symlink traversal vulnerability in ONNX allows an attacker to leverage symbolic links to access files beyond the designated model directory. This could lead to the exposure of sensitive data, such as configuration files, credentials, or other proprietary information stored on the system. An attacker could potentially craft a malicious ONNX model that, when loaded, exploits this vulnerability to read arbitrary files. The blast radius depends on the permissions of the ONNX process and the location of sensitive files on the system. While not directly leading to remote code execution, the data exposure can be a significant compromise.
This vulnerability was publicly disclosed on 2026-04-01. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the nature of the vulnerability suggests that such exploits could be developed relatively easily.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34447 is to upgrade to ONNX version 1.21.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting the directories accessible to the ONNX process. Implement strict file access controls and ensure that the ONNX process runs with the minimum necessary privileges. Review and sanitize all external data sources used by ONNX models to prevent malicious symbolic links from being introduced. After upgrade, confirm the fix by attempting to load a test model with a symbolic link pointing outside the model directory; the operation should fail.
Update the ONNX library to version 1.21.0 or higher. This corrects the symlink traversal vulnerability in external data loading, preventing the reading of files outside the model directory.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34447 is a medium-severity vulnerability in ONNX versions up to 1.9.0. It allows attackers to read files outside the intended model directory due to a flaw in external data loading.
You are affected if you are using ONNX versions 1.9.0 or earlier and are loading external data. Upgrade to version 1.21.0 or later to resolve the issue.
The recommended fix is to upgrade to ONNX version 1.21.0 or later. As a temporary workaround, restrict file access permissions and sanitize external data sources.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for exploitation.
Refer to the ONNX project's official security advisories and release notes for details: [https://github.com/onnx/onnx/security/advisories](https://github.com/onnx/onnx/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.