CVE-2026-34446
Received Received - Intake
Path Traversal via Hardlink in ONNX before

Publication date: 2026-04-01

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34446
EUVD
EUVD-2026-17987
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation onnx to 1.21.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to perform arbitrary file reads on the victim’s machine by exploiting hardlinks in malicious ONNX models. Such unauthorized access to sensitive files could lead to the exposure of confidential information.

In contexts where sensitive data is handled, such as AI supply chains or platforms hosting machine learning models, this could result in violations of data protection regulations like GDPR or HIPAA, which mandate strict controls over the confidentiality and security of personal and health-related data.

Therefore, the vulnerability poses a risk to compliance with these standards by potentially enabling data breaches through unauthorized file access.

Mitigation Strategies

The primary mitigation step is to upgrade the ONNX library to version 1.21.0 or later, where this vulnerability has been patched.

Until the upgrade is applied, avoid loading ONNX models from untrusted sources, especially those that might contain hardlinks or external data references.

Implement file system monitoring to detect and prevent the presence of hardlinks in directories used for ONNX models.

Consider restricting user permissions and access controls to limit the ability to create or use hardlinks in sensitive environments.

Executive Summary

CVE-2026-34446 is a vulnerability in the ONNX library's onnx.load function, present in versions up to 1.20.1 and fixed in 1.21.0. The issue occurs because the code tries to prevent path traversal attacks by checking for symbolic links (symlinks), but it completely misses hardlinks. Hardlinks appear as regular files on the filesystem and share the same inode, so the security check does not detect them.

This flaw allows an attacker to craft malicious ONNX models containing external data references via hardlinks, which can bypass security checks and enable arbitrary file reads on the victim’s machine.

The vulnerability is related to improper limitation of pathname to restricted directories (CWE-22) and insufficient handling of symbolic links (CWE-61).

Impact Analysis

This vulnerability can allow an attacker to perform arbitrary file reads on your machine by exploiting the failure to detect hardlinks in malicious ONNX models.

In practical terms, this means sensitive information could be silently exfiltrated without your awareness, especially in AI supply chain contexts where models are shared or downloaded from platforms like HuggingFace.

The attack requires local access and user interaction, and has a moderate severity with a CVSS score of 4.7.

Detection Guidance

This vulnerability involves the presence of hardlinks in ONNX model files that bypass the symlink checks in the onnx.load function. To detect potential exploitation, you can look for ONNX model files that contain hardlinks or unusual inode link counts.

On a Unix-like system, you can use the following commands to identify hardlinks in directories containing ONNX models:

  • Use 'find' to locate files with multiple hardlinks (link count > 1): find /path/to/models -type f -links +1 -exec ls -li {} +
  • Check inode numbers to find files sharing the same inode (indicating hardlinks): ls -li /path/to/models | sort -k1,1 | uniq -d -w 10

Additionally, monitoring for suspicious ONNX model files that reference external data or unusual file access patterns during model loading could help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart