PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-27489 onnx CVE debrief

CVE-2026-27489 is a high-severity vulnerability in Open Neural Network Exchange (ONNX), a standard for machine learning interoperability. Prior to version 1.21.0, ONNX was susceptible to a path traversal vulnerability via symlink, allowing attackers to read arbitrary files outside the model or user-provided directory. This issue has been patched in version 1.21.0. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity. The CVE was published on April 1, 2026, and last modified on June 30, 2026.

Vendor
onnx
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-01
Original CVE updated
2026-06-30
Advisory published
2026-04-01
Advisory updated
2026-06-30

Who should care

Organizations using Open Neural Network Exchange (ONNX) versions prior to 1.21.0 should prioritize patching this vulnerability to prevent potential file reads. Machine learning and AI practitioners, as well as security teams, should be aware of this vulnerability and take necessary actions to protect their systems.

Technical summary

The path traversal vulnerability in ONNX allows attackers to read arbitrary files outside the model or user-provided directory via symlink. This issue was patched in version 1.21.0. The vulnerability has a CVSS score of 8.7, indicating high severity. The attack vector is network-based, and the vulnerability can be exploited without user interaction. The CWE associated with this vulnerability is CWE-23 and CWE-61.

Defensive priority

Patching to version 1.21.0 or later is strongly recommended. Organizations should also review their ONNX deployments and ensure that they are not exposed to untrusted inputs.

Recommended defensive actions

  • Patch ONNX to version 1.21.0 or later
  • Review ONNX deployments for exposure to untrusted inputs
  • Monitor for suspicious activity related to ONNX usage
  • Implement additional security controls to prevent exploitation
  • Conduct a thorough risk assessment of ONNX usage in the organization

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its severity, and the patching information. The source item URL provides additional details on the vulnerability and its impact.

Official resources

This article is AI-assisted and based on the supplied source corpus.