CVE-2026-34447
Received Received - Intake
Symlink Traversal in ONNX External Data Loading Allows File Access

Publication date: 2026-04-01

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34447
EUVD
EUVD-2026-17989
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation onnx to 1.21.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to read arbitrary files outside the intended model directory by exploiting symlink traversal in ONNX's external data loading. Such unauthorized access to sensitive files can lead to confidentiality breaches.

Confidentiality breaches caused by this vulnerability could impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls on access to sensitive personal and health information.

Therefore, if exploited, this vulnerability could result in violations of these regulations due to unauthorized disclosure of protected data.

Executive Summary

CVE-2026-34447 is a symlink traversal vulnerability in the Open Neural Network Exchange (ONNX) package affecting versions prior to 1.21.0. It occurs during the external data loading process when the software attempts to ensure that external data files reside within a specified base directory.

The vulnerability arises because the function responsible for checking file paths uses a method that follows symbolic links. This means that if a symbolic link inside the base directory points to a file outside that directory, the check passes and the external data loader reads the file outside the intended directory.

An attacker who can supply or manipulate external data files, for example by creating attacker-controlled archives that include symlinks, can exploit this to read arbitrary files outside the model directory, leading to a confidentiality breach.

Impact Analysis

This vulnerability can impact you by allowing an attacker to read sensitive files outside the intended model directory through the ONNX external data loading mechanism.

If an attacker can supply or manipulate external data files (such as via malicious archives containing symlinks), they can cause the ONNX loader to read arbitrary files on the system.

This leads to a confidentiality breach, exposing potentially sensitive or private information stored in files outside the model directory.

Detection Guidance

This vulnerability can be detected by checking if the ONNX models in use load external data files via symlinks that point outside the model directory. Specifically, you can look for symlinks inside the model directory that reference files outside of it.

A practical approach is to inspect the external data files referenced by ONNX models and verify whether any symlinks exist that traverse outside the intended directory.

  • Use the command `find /path/to/model_dir -type l -exec readlink -f {} \;` to list all symlinks in the model directory and their resolved targets.
  • Check if any resolved symlink target is outside the model directory by comparing the output paths.
  • Additionally, you can run a Python script that attempts to load external data for your ONNX models using the vulnerable function `load_external_data_for_model` and verify if data from outside the model directory is read.
Mitigation Strategies

The immediate mitigation step is to upgrade the ONNX package to version 1.21.0 or later, where this symlink traversal vulnerability has been patched.

Until the upgrade is applied, avoid loading ONNX models that include external data files from untrusted sources or that may contain symlinks pointing outside the model directory.

Also, audit and remove any suspicious symlinks in the model directories that could lead to files outside the intended directory.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart