{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34446", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T18:18:14.894Z", "datePublished": "2026-04-01T17:37:54.737Z", "dateUpdated": "2026-04-02T14:10:36.637Z"}, "containers": {"cna": {"title": "ONNX: Arbitrary File Read via ExternalData Hardlink Bypass in ONNX load", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-61", "lang": "en", "description": "CWE-61: UNIX Symbolic Link (Symlink) Following", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp"}, {"name": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb", "tags": ["x_refsource_MISC"], "url": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb"}], "affected": [{"vendor": "onnx", "product": "onnx", "versions": [{"version": "< 1.21.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T17:37:54.737Z"}, "descriptions": [{"lang": "en", "value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0."}], "source": {"advisory": "GHSA-cmw6-hcpp-c6jp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:10:29.172559Z", "id": "CVE-2026-34446", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:10:36.637Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34446", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T14:10:29.172559Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:10:33.155Z"}}], "cna": {"title": "ONNX: Arbitrary File Read via ExternalData Hardlink Bypass in ONNX load", "source": {"advisory": "GHSA-cmw6-hcpp-c6jp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "onnx", "product": "onnx", "versions": [{"status": "affected", "version": "< 1.21.0"}]}], "references": [{"url": "https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp", "name": "https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb", "name": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-61", "description": "CWE-61: UNIX Symbolic Link (Symlink) Following"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T17:37:54.737Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34446", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:10:36.637Z", "dateReserved": "2026-03-27T18:18:14.894Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T17:37:54.737Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0."}], "id": "CVE-2026-34446", "lastModified": "2026-04-01T18:16:30.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T18:16:30.660", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb"}, {"source": "security-advisories@github.com", "url": "https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-61"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "onnx: ONNX: Information disclosure through hardlink path traversal", "id": "2454371", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454371"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-41", "details": ["Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.", "A flaw was found in Open Neural Network Exchange (ONNX), an open standard for machine learning interoperability. The `onnx.load` function, which is used to load machine learning models, does not correctly handle hardlinks. This vulnerability could allow an attacker to create a specially crafted ONNX model that, when loaded by a user, could lead to the disclosure of sensitive information from the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-34446", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-openvino-model-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-04-01T17:37:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34446\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34446\nhttps://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb\nhttps://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.21.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "onnx", "source": "cna", "vendor": "onnx"}, "product": "onnx", "vendor": "onnx"}], "analysis": {"en": {"generated_at": "2026-04-02T03:45:10.832894+00:00", "value": {"mitigation_remediation": ["Update the onnx library to version 1.21.0 or later."], "summary": {"action": "Patch", "impact": "File Read"}, "threat_synthesis": {"affected_systems": "All ONNX versions older than 1.21.0 are affected; the defect exists in the onnx:onnx library distributed by the ONNX community. Users running these older releases on any platform that supports hardlinks are vulnerable.", "description_and_impact": "ONNX load contains a flaw where hardlinks are treated like regular files, bypassing the symlink check meant to prevent path traversal. This oversight allows an attacker who can supply a malicious ONNX file to read arbitrary files accessible to the process, leading to a compromise of confidentiality and potentially integrity. The weakness aligns with CWE\u201122 (Path Traversal) and CWE\u201161 (Absolute Path Traversal).", "risk_and_exploitability": "The CVSS score of 4.7 indicates a moderate severity. Because the exploit requires possession of a crafted ONNX model\u2014typically achievable through local file uploads or when such files are loaded by an application\u2014there is no exploitable network pathway in the current description. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. Nevertheless, the risk is non\u2011zero for any environment that accepts untrusted ONNX models. Updating to version 1.21.0 or later removes the check for hardlinks and mitigates the issue."}}}}, "created": "2026-04-02T07:48:06.914377+00:00", "updated": "2026-04-02T20:16:58.536449+00:00", "vendors": ["onnx", "onnx$PRODUCT$onnx"]}