CVE-2026-12480
Received Received - Intake

Arbitrary HDF5 File Read in Keras

Vulnerability report for CVE-2026-12480, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: huntr.dev

Description

Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the `H5IOStore._verify_dataset()` and `file_editor.py` methods, which fail to check the `dataset.is_virtual` property of HDF5 datasets. This allows an attacker to craft a malicious `.keras` model archive or `.h5` weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads the model using `keras.models.load_model()` or `keras.saving.load_model()`, the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
keras keras to 3.13.2 (inc)
keras keras 3.12.2
keras keras 3.14.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Keras versions up to and including 3.13.2 and involves an arbitrary HDF5 file read due to an incomplete fix for a previous issue (CVE-2026-1669). The problem lies in the methods `H5IOStore._verify_dataset()` and `file_editor.py`, which do not properly check the `dataset.is_virtual` property of HDF5 datasets.

An attacker can craft a malicious .keras model archive or .h5 weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads this model using `keras.models.load_model()` or `keras.saving.load_model()`, the external file is read transparently, potentially exposing sensitive information.

Impact Analysis

This vulnerability can lead to information disclosure by allowing an attacker to read arbitrary files on the victim's filesystem. Specifically, by loading a malicious model or weights file, the victim's system may unknowingly read external HDF5 files referenced by a Virtual Dataset, exposing potentially sensitive data.

Detection Guidance

This vulnerability involves loading malicious Keras model files (.keras or .h5) that contain Virtual Datasets (VDS) referencing external HDF5 files. Detection would involve identifying usage of vulnerable Keras versions (up to 3.13.2) and monitoring or scanning for suspicious model files that may contain VDS.

Since the vulnerability is triggered when loading models using keras.models.load_model() or keras.saving.load_model(), you can detect attempts by monitoring logs or tracing calls to these functions.

There are no explicit commands provided in the resources to detect this vulnerability on your system or network.

Mitigation Strategies

The immediate mitigation step is to upgrade Keras to a fixed version. The vulnerability is fixed in versions 3.12.2 and 3.14.1, so upgrading to one of these or a later version will resolve the issue.

Additionally, avoid loading untrusted or unauthenticated .keras or .h5 model files, as these could contain malicious Virtual Datasets that exploit this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12480. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart