ONNX Flaws Enable Server Crashes and Arbitrary File Reads via Malicious Models
Two high-severity vulnerabilities in ONNX affect versions prior to 1.21.0, allowing attackers to abuse malicious model files in different ways. CVE-2026-34445 stems from the ExternalDataInfo class using Python setattr() on model metadata without validating supplied keys, enabling crafted ONNX files to overwrite internal object properties. The flaw is remotely exploitable with low attack complexity and no required privileges or user interaction, and can lead to server crashes and broader integrity and confidentiality impacts.
A second issue, CVE-2026-27489, allows arbitrary file reads outside the intended model or user-supplied directory through path traversal involving symlinks. The vulnerability is classified under CWE-23 and CWE-61, while the object-setting flaw is mapped to CWE-20, CWE-400, and CWE-915. ONNX has patched both vulnerabilities in version 1.21.0, and published advisory and code references alongside the disclosures.
Timeline
Apr 1, 2026
CVE-2026-27489 and CVE-2026-34445 are publicly disclosed
Public advisories disclosed two ONNX vulnerabilities affecting versions prior to 1.21.0: CVE-2026-27489, a path traversal via symlink issue, and CVE-2026-34445, a flaw in ExternalDataInfo that could let malicious ONNX models crash servers and alter internal object properties. The disclosures included severity classifications, CVSS vectors, and references to related advisories and code.
Apr 1, 2026
ONNX fixes two vulnerabilities in version 1.21.0
ONNX released version 1.21.0 to patch two flaws affecting earlier versions: CVE-2026-34445, which allowed malicious model metadata to overwrite object properties via unvalidated setattr() usage, and CVE-2026-27489, a symlink-based path traversal that enabled arbitrary file reads outside intended directories.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Arbitrary File Write Flaws in OpenClaw and ONNX Enable Code Execution
Two high-severity vulnerabilities were disclosed in **OpenClaw** and **ONNX** that can let attackers write to unintended files and potentially gain code execution. In OpenClaw, `GHSA-7XR2-Q9VF-X4R5` describes a symlink traversal issue involving `IDENTITY.md` that allows an authenticated attacker to append user-controlled content to any file writable by the Node.js process over the network with low complexity and no additional user interaction. The flaw was rated **CVSS 8.8** and can affect confidentiality, integrity, and availability, with reported outcomes including privilege escalation, persistent shell access, data corruption, denial of service, and remote code execution. A separate **CVSS 8.8** issue in ONNX, tracked as `CVE-2025-51480` / `GHSA-Q56X-G2FJ-4RJ6`, affects `save_external_data` and allows path traversal that can overwrite or read arbitrary files when a crafted model is processed. The reported impact includes overwriting files such as `~/.ssh/authorized_keys`, `~/.bashrc`, or scheduled task definitions, which can escalate to remote code execution under the privileges of the user running the ONNX workflow. In containerized environments, the flaw can also lead to full container compromise and possible lateral movement within a cluster.
1 months ago
OpenCode AI Coding Agent RCE via Unauthenticated Local Server and Web UI XSS
Security researchers disclosed two high-severity vulnerabilities in the open-source **OpenCode** AI coding agent that can allow **arbitrary command execution on a developer workstation** in drive-by scenarios. **CVE-2026-22812** stems from OpenCode automatically starting an **unauthenticated HTTP server** with **permissive CORS** (`Access-Control-Allow-Origin: *`), enabling any local process—or a malicious website via cross-origin requests—to invoke sensitive local API endpoints and execute shell commands with the user’s privileges. Separately, **CVE-2026-22813** is a **critical** issue in the OpenCode web UI where the markdown renderer can inject arbitrary HTML into the DOM without sanitization (no *DOMPurify* and no CSP), enabling JavaScript execution on the `http://localhost:4096` origin and subsequent access to local APIs that can spawn processes. Mitigations are available for both OpenCode issues: **CVE-2026-22812** is fixed in **OpenCode 1.0.216**, and **CVE-2026-22813** is fixed in **OpenCode 1.1.10**. Other items in the set describe unrelated vulnerabilities in different products (e.g., a command-injection flaw in an end-of-life VS Code extension, unsafe deserialization in *LlamaIndex*, ReDoS in *LangChain*, and various web app SQLi/XSS/access-control issues) and do not materially change the OpenCode risk picture; they should be tracked separately by affected-asset ownership and exposure.
1 months ago
High-Severity Flaws in Langflow and vLLM Expose Secrets and Enable RCE
Two high-severity vulnerabilities were disclosed in widely used AI application components, affecting **Langflow** and **vLLM**. In Langflow, `CVE-2026-33497` impacts versions before **1.7.1** and stems from improper filtering of `folder_name` and `file_name` in the `/profile_pictures/{folder_name}/{file_name}` endpoint. The path traversal flaw (`CWE-22`) allows unauthenticated attackers to read files across directories, including the application's `secret_key`, creating a direct risk of secret exposure and follow-on compromise. The issue is addressed in **Langflow 1.7.1** and tracked in GitHub advisory `GHSA-ph9w-r52h-28p7`. A separate flaw in vLLM, `CVE-2026-27893`, can lead to **remote code execution** by bypassing a user's attempt to disable remote code trust. In versions from **0.10.1** up to but not including **0.18.0**, two model implementation files hardcoded `trust_remote_code=True`, overriding the safer `--trust-remote-code=False` setting and allowing malicious model repositories to run code during model use. The vulnerability, classified as `CWE-693`, was patched in **vLLM 0.18.0**, underscoring supply-chain and configuration-bypass risks in AI infrastructure components.
1 months ago