CVE-2026-1669 in Keras
Summary
by MITRE • 02/12/2026
Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2026
This vulnerability exists within the model loading mechanism of Keras versions 3.0.0 through 3.13.1, specifically affecting the HDF5 integration component. The flaw stems from insufficient validation of external dataset references within HDF5 files, allowing attackers to craft malicious .keras model files that can trigger arbitrary file reads on systems where these models are loaded. The vulnerability is classified as a path traversal or arbitrary file read issue, which directly relates to CWE-22 Path Traversal and CWE-924 Immediate Defeat of Access Control. The security impact is particularly severe as it enables remote attackers to access local files without authentication, potentially exposing sensitive data including configuration files, credentials, or other system resources.
The technical implementation of this vulnerability leverages the HDF5 file format's capability to reference external datasets through external dataset references. When Keras loads a .keras model file containing crafted HDF5 metadata, the model loading process does not properly sanitize or validate these external references, allowing them to resolve to arbitrary local file paths. This occurs because the loading mechanism fails to implement proper access control checks or path validation when processing external dataset references. The vulnerability is particularly dangerous because it can be exploited through a remote attack vector, requiring no local system access or privileges to execute. Attackers can craft malicious models that, when loaded by an application using vulnerable Keras versions, will attempt to read files from the system's filesystem using the external dataset reference mechanism.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can lead to complete system compromise depending on the files accessible through the arbitrary read capability. An attacker could potentially read sensitive files such as database connection strings, API keys, private certificates, or other confidential data stored on the system. The vulnerability affects all supported platforms where Keras is deployed, making it particularly concerning for cloud environments, containerized applications, and server-side applications that process user-uploaded models. This issue directly maps to ATT&CK technique T1566.002 Phishing: Spearphishing Attachment, as attackers could deliver malicious .keras model files through social engineering campaigns, and T1074 Data Staged, as the compromised data could be exfiltrated through subsequent attacks. The vulnerability also relates to T1083 File and Directory Discovery, as attackers could use the arbitrary read capability to enumerate system files and directories.
Mitigation strategies for this vulnerability require immediate action from system administrators and developers. The primary solution involves upgrading to Keras versions 3.14.0 or later where this vulnerability has been patched and the model loading mechanism properly validates external dataset references. Organizations should implement strict model validation procedures for any user-uploaded or third-party models, particularly in environments where models are loaded without proper sandboxing. Network segmentation and access controls should be enforced to limit the potential impact of successful exploitation. Additionally, implementing file integrity monitoring and anomaly detection systems can help identify unauthorized file access attempts. Security teams should also consider implementing runtime application self-protection measures or sandboxing mechanisms when loading external model files. The patch addresses the root cause by implementing proper input validation and access control checks within the HDF5 loading process, ensuring that external dataset references are properly sanitized before any file system operations are performed.