CVE-2026-27489
Path Traversal in ONNX Allows Arbitrary File Read Pre
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | onnx | to 1.21.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-27489 is a high-severity path traversal vulnerability in ONNX that allows attackers to read arbitrary files on the host system by exploiting improper symlink handling. This unauthorized disclosure of sensitive files and environment variables can lead to exposure of confidential data.
Such unauthorized data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive information. The vulnerability could lead to breaches of confidentiality obligations mandated by these regulations.
The vulnerability enables attackers to bypass intended access controls and read files outside the allowed directories, potentially exposing personal data or protected health information, thus increasing the risk of non-compliance with data protection laws.
Can you explain this vulnerability to me?
CVE-2026-27489 is a high-severity path traversal vulnerability in the Open Neural Network Exchange (ONNX) package prior to version 1.21.0. It arises from improper handling of symbolic links (symlinks) when loading external data files associated with ONNX models.
The vulnerability occurs because the code uses a symlink check that follows symlinks and mistakenly treats symlinked files as regular files. This allows an attacker to craft a malicious ONNX model with external data files replaced by symlinks pointing to arbitrary sensitive files on the host system.
When a victim loads such a malicious model, the symlink is followed, enabling unauthorized reading of arbitrary files outside the intended model or user directories. This can expose sensitive files like system passwords or environment variables.
The issue was patched by implementing secure file opening methods that prevent following symlinks using OS-level flags like O_NOFOLLOW and by adding multiple layers of path validation and symlink/hardlink detection.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive files on the host system where the ONNX model is loaded.
An attacker can exploit this flaw remotely by providing a malicious ONNX model containing symlinked external data files that point to arbitrary files on the victim's system.
- Exposure of sensitive system files such as password files or environment variables.
- Potential leakage of confidential information stored on the host.
- Compromise of confidentiality without requiring any privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying malicious ONNX model files that include symlinked external data files pointing outside the intended directories. Since the vulnerability exploits symlinks to read arbitrary files, you can check for suspicious symlinks in directories where ONNX models and their external data files are stored.
Suggested commands to detect potential exploitation or presence of malicious symlinks include:
- Use 'find' to locate symlinks in the model directories: find /path/to/models -type l -ls
- Check where symlinks point to, for example: ls -l /path/to/models/*.data
- Verify if any symlink points outside the expected model or user directories, e.g., pointing to /etc/passwd or other sensitive files.
Additionally, monitoring file access logs or using filesystem auditing tools to detect unexpected reads of sensitive files when ONNX models are loaded can help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade ONNX to version 1.21.0 or later, where this vulnerability has been patched.
The patch includes secure handling of external data files by:
- Replacing unsafe symlink checks with secure file open operations using OS-level flags like O_NOFOLLOW to prevent following symlinks.
- Implementing canonical path containment checks to ensure external data files reside within the model directory.
- Rejecting final-component symlinks and files with multiple hardlinks to prevent symlink and hardlink attacks.
If upgrading immediately is not possible, as a temporary measure, avoid loading ONNX models from untrusted sources and audit existing models for suspicious symlinks or external data files.