CVE-2026-28500
Received Received - Intake
Security Bypass in ONNX Model Loading Enables Silent Data Exfiltration

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28500
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation onnx to 1.20.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CWE-494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-28500 is a high-severity vulnerability in the onnx Python package's onnx.hub.load() function, present in versions up to 1.20.1. The vulnerability arises from improper logic in the repository trust verification mechanism when the silent=True parameter is used. Normally, the function warns users when loading models from untrusted sources and requests confirmation. However, with silent=True, all security warnings and prompts are suppressed, allowing automatic loading of models from attacker-controlled repositories without user awareness."}, {'type': 'paragraph', 'content': 'An attacker can supply a malicious model with a matching valid SHA256 hash, bypassing integrity checks. This creates a silent supply-chain attack vector where malicious models can be loaded and executed without notification. When combined with file-system vulnerabilities, attackers can exfiltrate sensitive data such as SSH keys and cloud credentials immediately upon model loading.'}] [1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to a silent supply-chain attack where malicious machine learning models are loaded without user knowledge or consent. Attackers can exploit this to execute malicious code or actions on the victim's machine."}, {'type': 'list_item', 'content': 'Exfiltration of sensitive files such as SSH keys and cloud credentials.'}, {'type': 'list_item', 'content': 'No privileges or user interaction are required for the attack, making it easy to exploit.'}, {'type': 'list_item', 'content': 'The attack has a high confidentiality impact but does not affect integrity or availability.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the use of the onnx.hub.load() function with the silent=True parameter, which suppresses security warnings and prompts when loading models from untrusted repositories.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor for usage of onnx.hub.load() calls that include the silent=True parameter, especially when loading models from non-official or unknown repositories.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is triggered by Python code execution, you can search your codebase or running processes for invocations of onnx.hub.load with silent=True.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to find occurrences in your code: grep -r "onnx.hub.load" . | grep "silent=True"'}, {'type': 'list_item', 'content': 'Monitor Python process command lines or logs for suspicious model loading from untrusted sources.'}, {'type': 'list_item', 'content': 'Check network traffic for connections to unknown GitHub repositories or suspicious download activity related to ONNX models.'}] [1, 2]

Mitigation Strategies

As no patched versions are currently available, immediate mitigation involves avoiding the use of the silent=true parameter in onnx.hub.load() to ensure that security warnings and confirmation prompts are not suppressed.

Additionally, only load ONNX models from trusted, official repositories to reduce the risk of supply-chain attacks.

Implement monitoring to detect any unexpected or silent model loading activities.

Consider restricting network access to untrusted GitHub repositories or applying application-level controls to prevent automatic downloads from unknown sources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart