CVE-2026-34446
Path Traversal via Hardlink in ONNX before
Publication date: 2026-04-01
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | onnx | to 1.21.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to perform arbitrary file reads on the victimβs machine by exploiting hardlinks in malicious ONNX models. Such unauthorized access to sensitive files could lead to the exposure of confidential information.
In contexts where sensitive data is handled, such as AI supply chains or platforms hosting machine learning models, this could result in violations of data protection regulations like GDPR or HIPAA, which mandate strict controls over the confidentiality and security of personal and health-related data.
Therefore, the vulnerability poses a risk to compliance with these standards by potentially enabling data breaches through unauthorized file access.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the ONNX library to version 1.21.0 or later, where this vulnerability has been patched.
Until the upgrade is applied, avoid loading ONNX models from untrusted sources, especially those that might contain hardlinks or external data references.
Implement file system monitoring to detect and prevent the presence of hardlinks in directories used for ONNX models.
Consider restricting user permissions and access controls to limit the ability to create or use hardlinks in sensitive environments.
Can you explain this vulnerability to me?
CVE-2026-34446 is a vulnerability in the ONNX library's onnx.load function, present in versions up to 1.20.1 and fixed in 1.21.0. The issue occurs because the code tries to prevent path traversal attacks by checking for symbolic links (symlinks), but it completely misses hardlinks. Hardlinks appear as regular files on the filesystem and share the same inode, so the security check does not detect them.
This flaw allows an attacker to craft malicious ONNX models containing external data references via hardlinks, which can bypass security checks and enable arbitrary file reads on the victimβs machine.
The vulnerability is related to improper limitation of pathname to restricted directories (CWE-22) and insufficient handling of symbolic links (CWE-61).
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform arbitrary file reads on your machine by exploiting the failure to detect hardlinks in malicious ONNX models.
In practical terms, this means sensitive information could be silently exfiltrated without your awareness, especially in AI supply chain contexts where models are shared or downloaded from platforms like HuggingFace.
The attack requires local access and user interaction, and has a moderate severity with a CVSS score of 4.7.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the presence of hardlinks in ONNX model files that bypass the symlink checks in the onnx.load function. To detect potential exploitation, you can look for ONNX model files that contain hardlinks or unusual inode link counts.
On a Unix-like system, you can use the following commands to identify hardlinks in directories containing ONNX models:
- Use 'find' to locate files with multiple hardlinks (link count > 1): find /path/to/models -type f -links +1 -exec ls -li {} +
- Check inode numbers to find files sharing the same inode (indicating hardlinks): ls -li /path/to/models | sort -k1,1 | uniq -d -w 10
Additionally, monitoring for suspicious ONNX model files that reference external data or unusual file access patterns during model loading could help detect exploitation attempts.