CVE-2026-28500 in onnx
Summary
by MITRE • 03/18/2026
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability identified as CVE-2026-28500 resides within the Open Neural Network Exchange (ONNX) framework, specifically affecting versions through 1.20.1. This security flaw manifests in the onnx.hub.load() function where the repository trust verification mechanism contains improper logic that creates a security control bypass. The ONNX ecosystem serves as a critical interoperability standard for machine learning models, enabling seamless model sharing and execution across different frameworks and platforms. The affected component operates as a core loading mechanism that should enforce security controls to prevent loading of untrusted models from potentially malicious sources.
The technical flaw stems from the inadequate implementation of trust verification within the model loading process. When users attempt to load models through onnx.hub.load(), the system is designed to issue warnings about loading from non-official sources as a security measure. However, the vulnerability allows attackers to completely bypass these warnings by utilizing the silent=True parameter. This parameter suppresses all security prompts and warning messages that would normally alert users to potential risks, effectively transforming a security-conscious function into a potential attack vector. The flaw represents a classic case of insufficient input validation and inadequate security controls, aligning with CWE-693 weakness classification for protection mechanism bypass.
The operational impact of this vulnerability is particularly severe as it enables zero-interaction supply-chain attacks without requiring any user confirmation or awareness. When combined with file-system vulnerabilities present on the victim's machine, attackers can exploit this flaw to silently exfiltrate sensitive information including SSH keys, cloud credentials, and other confidential data. The attack occurs automatically during the model loading process, making detection extremely difficult and allowing for covert data exfiltration. This vulnerability undermines the fundamental security assumptions of the ONNX framework and creates a persistent threat vector that can be exploited across multiple environments where ONNX is deployed.
Organizations and developers using ONNX frameworks face significant risk from this vulnerability, as it can be leveraged to establish persistent access to systems through seemingly legitimate model loading operations. The lack of patched versions at the time of publication compounds the risk, leaving users without official remediation paths. Security practitioners should implement immediate compensating controls including network monitoring for unusual file access patterns, filesystem access restrictions, and comprehensive threat hunting for potential exploitation attempts. The vulnerability demonstrates the critical importance of proper security controls in machine learning frameworks and highlights the need for robust trust verification mechanisms in software supply-chain components. This flaw serves as a reminder of the increasing attack surface presented by machine learning ecosystems and the necessity for comprehensive security considerations throughout the software development lifecycle.
The vulnerability aligns with several ATT&CK framework techniques including T1195.002 for supply chain compromise and T1078.004 for valid accounts. The silent parameter exploitation technique represents a sophisticated bypass method that operates below normal security monitoring thresholds. Organizations should consider implementing additional security controls such as file integrity monitoring, privileged access management, and enhanced network segmentation to protect against potential exploitation of this vulnerability. The absence of patched versions emphasizes the importance of maintaining awareness of emerging threats in open-source machine learning frameworks and implementing proactive security measures to protect against unknown vulnerabilities.