PatchSiren cyber security CVE debrief
CVE-2026-27489 onnx CVE debrief
CVE-2026-27489 is a high-severity vulnerability in Open Neural Network Exchange (ONNX), a standard for machine learning interoperability. Prior to version 1.21.0, ONNX was susceptible to a path traversal vulnerability via symlink, allowing attackers to read arbitrary files outside the model or user-provided directory. This issue has been patched in version 1.21.0. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity. The CVE was published on April 1, 2026, and last modified on June 30, 2026.
- Vendor
- onnx
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-01
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-01
- Advisory updated
- 2026-06-30
Who should care
Organizations using Open Neural Network Exchange (ONNX) versions prior to 1.21.0 should prioritize patching this vulnerability to prevent potential file reads. Machine learning and AI practitioners, as well as security teams, should be aware of this vulnerability and take necessary actions to protect their systems.
Technical summary
The path traversal vulnerability in ONNX allows attackers to read arbitrary files outside the model or user-provided directory via symlink. This issue was patched in version 1.21.0. The vulnerability has a CVSS score of 8.7, indicating high severity. The attack vector is network-based, and the vulnerability can be exploited without user interaction. The CWE associated with this vulnerability is CWE-23 and CWE-61.
Defensive priority
Patching to version 1.21.0 or later is strongly recommended. Organizations should also review their ONNX deployments and ensure that they are not exposed to untrusted inputs.
Recommended defensive actions
- Patch ONNX to version 1.21.0 or later
- Review ONNX deployments for exposure to untrusted inputs
- Monitor for suspicious activity related to ONNX usage
- Implement additional security controls to prevent exploitation
- Conduct a thorough risk assessment of ONNX usage in the organization
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, its severity, and the patching information. The source item URL provides additional details on the vulnerability and its impact.
Official resources
-
CVE-2026-27489 CVE record
CVE.org
-
CVE-2026-27489 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.