{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1462", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2026-01-27T04:14:51.848Z", "datePublished": "2026-04-13T14:55:28.649Z", "dateUpdated": "2026-04-13T18:53:12.291Z"}, "containers": {"cna": {"title": "Safe Mode Bypass in keras-team/keras", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-04-13T14:55:28.649Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method."}], "affected": [{"vendor": "keras-team", "product": "keras-team/keras", "versions": [{"version": "unspecified", "lessThan": "3.13.2", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c"}, {"url": "https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data", "cweId": "CWE-502"}]}], "source": {"advisory": "7e78d6f1-6977-4300-b595-e81bdbda331c", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:53:01.058651Z", "id": "CVE-2026-1462", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:53:12.291Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1462", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T18:53:01.058651Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:53:07.966Z"}}], "cna": {"title": "Safe Mode Bypass in keras-team/keras", "source": {"advisory": "7e78d6f1-6977-4300-b595-e81bdbda331c", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "keras-team", "product": "keras-team/keras", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "3.13.2", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c"}, {"url": "https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f"}], "descriptions": [{"lang": "en", "value": "A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-04-13T14:55:28.649Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1462", "state": "PUBLISHED", "dateUpdated": "2026-04-13T18:53:12.291Z", "dateReserved": "2026-01-27T04:14:51.848Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-04-13T14:55:28.649Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method."}], "id": "CVE-2026-1462", "lastModified": "2026-04-17T15:34:21.867", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2026-04-13T15:17:18.967", "references": [{"source": "security@huntr.dev", "url": "https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f"}, {"source": "security@huntr.dev", "url": "https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@huntr.dev", "type": "Primary"}]}

{"bugzilla": {"description": "keras: Keras: Arbitrary Code Execution Vulnerability Bypassing Safe Mode", "id": "2457856", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457856"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A flaw was found in the `keras` package. This vulnerability allows an attacker to execute unauthorized code on a victim's system. It occurs when a victim loads a specially crafted `.keras` model, even if the `safe_mode` security feature is active. The issue arises because the `keras` package can unconditionally load external TensorFlow SavedModels without sufficient validation, thereby bypassing the intended security protections and leading to arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-1462", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-agent-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-router-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kserve-storage-initializer-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-modelmesh-runtime-adapter-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-modelmesh-runtime-adapter-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-04-13T14:55:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1462\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1462\nhttps://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f\nhttps://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.13.0,3.13.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "keras-team/keras", "source": "cna", "vendor": "keras-team"}, "product": "keras", "vendor": "keras"}], "analysis": {"en": {"generated_at": "2026-04-14T01:51:59.290597+00:00", "value": {"mitigation_remediation": ["Upgrade keras to a patched release (3.13.1 or newer).", "Restrict loading of .keras files to trusted sources only and validate file contents prior to deserialization."], "summary": {"action": "Patch immediately", "impact": "Arbitrary code execution during model inference"}, "threat_synthesis": {"affected_systems": "The vulnerability is present only in the keras package maintained by the keras-team, specifically version 3.13.0. No other vendors or product versions are listed as affected in the CNA data.", "description_and_impact": "The flaw in the TFSMLayer class of the Keras package allows an attacker to load TensorFlow SavedModels that are fully under the attacker's control when a .keras model is deserialized, even when safe_mode=True. This bypasses the intended safety checks and permits arbitrary code execution during model inference, executing in the context of the victim\u2019s process.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity. The lack of EPSS data prevents a precise estimate of exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires delivery of a malicious .keras file that the victim loads, which can occur if the victim accepts untrusted models from external sources or a compromised model repository. When exploited, the attacker can execute arbitrary code at the privileges of the inference process."}}}}, "created": "2026-04-14T16:19:06.669872+00:00", "updated": "2026-04-14T16:34:15.127451+00:00", "vendors": ["keras", "keras$PRODUCT$keras"]}