CVE-2026-34447
Symlink Traversal in ONNX External Data Loading Allows File Access
Publication date: 2026-04-01
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | onnx | to 1.21.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34447 is a symlink traversal vulnerability in the Open Neural Network Exchange (ONNX) package affecting versions prior to 1.21.0. It occurs during the external data loading process when the software attempts to ensure that external data files reside within a specified base directory.
The vulnerability arises because the function responsible for checking file paths uses a method that follows symbolic links. This means that if a symbolic link inside the base directory points to a file outside that directory, the check passes and the external data loader reads the file outside the intended directory.
An attacker who can supply or manipulate external data files, for example by creating attacker-controlled archives that include symlinks, can exploit this to read arbitrary files outside the model directory, leading to a confidentiality breach.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to read arbitrary files outside the intended model directory by exploiting symlink traversal in ONNX's external data loading. Such unauthorized access to sensitive files can lead to confidentiality breaches.
Confidentiality breaches caused by this vulnerability could impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls on access to sensitive personal and health information.
Therefore, if exploited, this vulnerability could result in violations of these regulations due to unauthorized disclosure of protected data.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to read sensitive files outside the intended model directory through the ONNX external data loading mechanism.
If an attacker can supply or manipulate external data files (such as via malicious archives containing symlinks), they can cause the ONNX loader to read arbitrary files on the system.
This leads to a confidentiality breach, exposing potentially sensitive or private information stored in files outside the model directory.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the ONNX models in use load external data files via symlinks that point outside the model directory. Specifically, you can look for symlinks inside the model directory that reference files outside of it.
A practical approach is to inspect the external data files referenced by ONNX models and verify whether any symlinks exist that traverse outside the intended directory.
- Use the command `find /path/to/model_dir -type l -exec readlink -f {} \;` to list all symlinks in the model directory and their resolved targets.
- Check if any resolved symlink target is outside the model directory by comparing the output paths.
- Additionally, you can run a Python script that attempts to load external data for your ONNX models using the vulnerable function `load_external_data_for_model` and verify if data from outside the model directory is read.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the ONNX package to version 1.21.0 or later, where this symlink traversal vulnerability has been patched.
Until the upgrade is applied, avoid loading ONNX models that include external data files from untrusted sources or that may contain symlinks pointing outside the model directory.
Also, audit and remove any suspicious symlinks in the model directories that could lead to files outside the intended directory.