CVE-2026-27489

Summary

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0.

Affected Software

VendorProductVersion RangeStatus
onnxonnx< 1.21.0affected

Weaknesses

  • CWE-23: CWE-23: Relative Path Traversal
  • CWE-61: CWE-61: UNIX Symbolic Link (Symlink) Following

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

onnx: ONNX: Information Disclosure via Path Traversal Vulnerability

Additional References

References