CVE-2026-12480 in keras
Summary
by MITRE • 07/01/2026
Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the `H5IOStore._verify_dataset()` and `file_editor.py` methods, which fail to check the `dataset.is_virtual` property of HDF5 datasets. This allows an attacker to craft a malicious `.keras` model archive or `.h5` weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads the model using `keras.models.load_model()` or `keras.saving.load_model()`, the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/01/2026
The vulnerability in Keras versions up to and including 3.13.2 represents a critical security flaw that exploits improper handling of HDF5 virtual datasets during model loading operations. This issue stems from an incomplete remediation of CVE-2026-1669, creating a persistent attack vector that allows adversaries to access sensitive data through seemingly benign model files. The vulnerability specifically targets the H5IOStore._verify_dataset() method and file_editor.py components within the Keras framework's model loading infrastructure.
The technical implementation of this flaw occurs when Keras processes HDF5 datasets that contain virtual dataset references without properly validating the dataset.is_virtual property. Virtual datasets in HDF5 allow referencing data from external files, creating a transparent mechanism for data access that bypasses normal security boundaries. When an attacker crafts a malicious .keras model archive or .h5 weights file containing such virtual datasets, they can specify paths to arbitrary files on the victim's filesystem. The vulnerability exploits the fact that Keras does not verify whether a dataset is virtual before attempting to read its contents, enabling unauthorized access to system resources.
This security weakness directly impacts the integrity and confidentiality of systems running vulnerable Keras versions by allowing information disclosure through model loading operations. When victims execute keras.models.load_model() or keras.saving.load_model() functions on maliciously crafted files, the system transparently reads external HDF5 files that may contain sensitive data such as configuration files, credentials, or other system information. The attack requires no special privileges beyond the ability to load models, making it particularly dangerous in environments where model loading occurs automatically or through untrusted inputs.
The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) while mapping to ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell) through potential exploitation pathways that leverage the model loading process as an attack vector. Organizations using Keras for machine learning workflows face significant risk exposure, particularly in environments where models are loaded from untrusted sources or when automated model ingestion processes exist.
The recommended mitigation strategy involves upgrading to Keras versions 3.12.2 or 3.14.1, which contain proper fixes for the virtual dataset validation mechanism. System administrators should also implement strict file access controls and sandboxing measures around model loading operations, particularly in multi-tenant environments or when processing externally provided models. Additional protective measures include validating model file origins, implementing network segmentation to limit access to sensitive filesystem locations, and monitoring model loading activities for anomalous patterns that might indicate exploitation attempts. Organizations should conduct thorough security assessments of their machine learning pipelines to identify potential exposure points and ensure comprehensive protection against similar vulnerabilities in related components.