Two high-severity vulnerabilities in ONNX affect versions prior to 1.21.0, allowing attackers to abuse malicious model files in different ways. CVE-2026-34445 stems from the ExternalDataInfo class using Python setattr() on model metadata without validating supplied keys, enabling crafted ONNX files to overwrite internal object properties. The flaw is remotely exploitable with low attack complexity and no required privileges or user interaction, and can lead to server crashes and broader integrity and confidentiality impacts.
A second issue, CVE-2026-27489, allows arbitrary file reads outside the intended model or user-supplied directory through path traversal involving symlinks. The vulnerability is classified under CWE-23 and CWE-61, while the object-setting flaw is mapped to CWE-20, CWE-400, and CWE-915. ONNX has patched both vulnerabilities in version 1.21.0, and published advisory and code references alongside the disclosures.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Public advisories disclosed two ONNX vulnerabilities affecting versions prior to 1.21.0: CVE-2026-27489, a path traversal via symlink issue, and CVE-2026-34445, a flaw in ExternalDataInfo that could let malicious ONNX models crash servers and alter internal object properties. The disclosures included severity classifications, CVSS vectors, and references to related advisories and code.
ONNX released version 1.21.0 to patch two flaws affecting earlier versions: CVE-2026-34445, which allowed malicious model metadata to overwrite object properties via unvalidated setattr() usage, and CVE-2026-27489, a symlink-based path traversal that enabled arbitrary file reads outside intended directories.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.