{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27489", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T19:46:03.541Z", "datePublished": "2026-04-01T17:33:51.281Z", "dateUpdated": "2026-04-01T19:09:18.474Z"}, "containers": {"cna": {"title": "ONNX: Path Traversal via Symlink", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-61", "lang": "en", "description": "CWE-61: UNIX Symbolic Link (Symlink) Following", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/onnx/onnx/security/advisories/GHSA-3r9x-f23j-gc73", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/onnx/onnx/security/advisories/GHSA-3r9x-f23j-gc73"}, {"name": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb", "tags": ["x_refsource_MISC"], "url": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb"}], "affected": [{"vendor": "onnx", "product": "onnx", "versions": [{"version": "< 1.21.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T17:33:51.281Z"}, "descriptions": [{"lang": "en", "value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0."}], "source": {"advisory": "GHSA-3r9x-f23j-gc73", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T19:08:27.206936Z", "id": "CVE-2026-27489", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:09:18.474Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27489", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T19:08:27.206936Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T19:09:15.456Z"}}], "cna": {"title": "ONNX: Path Traversal via Symlink", "source": {"advisory": "GHSA-3r9x-f23j-gc73", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "onnx", "product": "onnx", "versions": [{"status": "affected", "version": "< 1.21.0"}]}], "references": [{"url": "https://github.com/onnx/onnx/security/advisories/GHSA-3r9x-f23j-gc73", "name": "https://github.com/onnx/onnx/security/advisories/GHSA-3r9x-f23j-gc73", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb", "name": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-61", "description": "CWE-61: UNIX Symbolic Link (Symlink) Following"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T17:33:51.281Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27489", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:09:18.474Z", "dateReserved": "2026-02-19T19:46:03.541Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T17:33:51.281Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:onnx:*:*:*:*:*:*:*:*", "matchCriteriaId": "D94F43D7-D50D-4698-B07D-215EBBAB63F2", "versionEndExcluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0."}], "id": "CVE-2026-27489", "lastModified": "2026-04-07T20:22:04.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T18:16:28.287", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/onnx/onnx/security/advisories/GHSA-3r9x-f23j-gc73"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}, {"lang": "en", "value": "CWE-61"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "onnx: ONNX: Information Disclosure via Path Traversal Vulnerability", "id": "2453929", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453929"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in Open Neural Network Exchange (ONNX), an open standard for machine learning interoperability. This path traversal vulnerability, exploitable via a symbolic link (symlink), allows an attacker to read arbitrary files located outside of the intended model or user-provided directories. This could lead to unauthorized information disclosure."], "name": "CVE-2026-27489", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-openvino-model-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Under investigation", "package_name": "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-04-01T17:33:51Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27489\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27489\nhttps://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb\nhttps://github.com/onnx/onnx/security/advisories/GHSA-3r9x-f23j-gc73"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.21.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "onnx", "source": "cna", "vendor": "onnx"}, "product": "onnx", "vendor": "onnx"}], "analysis": {"en": {"generated_at": "2026-04-07T21:46:57.872612+00:00", "value": {"mitigation_remediation": ["Upgrade ONNX to version 1.21.0 or later.", "If an upgrade is not immediately possible, reject or sanitize any model files that contain symbolic links before loading them.", "Run the ONNX runtime with the minimum necessary filesystem permissions to limit potential data exposure."], "summary": {"action": "Patch", "impact": "Data Exfiltration via Path Traversal"}, "threat_synthesis": {"affected_systems": "The issue affects the ONNX library from the Linux Foundation. Any deployment of ONNX 1.20.x or earlier is vulnerable, regardless of the host operating system. The vulnerability was patched with version\u00a01.21.0, so only installations that have not updated to that or newer release remain affected.", "description_and_impact": "Open Neural Network Exchange (ONNX) versions before 1.21.0 contain a path traversal flaw that allows a malicious model to read files outside of its designated directory. The vulnerability operates by following symbolic links embedded in the model, enabling an attacker to read arbitrary files on the host filesystem, potentially exposing confidential information. The weakness is classified as CWE\u201122, CWE\u201123 and CWE\u201161, which denote path traversal and absolute path traversal errors.", "risk_and_exploitability": "The CVSS score of\u00a08.7 indicates a high severity, but the EPSS score of less than\u00a01% signifies that the likelihood of exploitation is low at present. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known widespread exploitation. To exploit it, an attacker would need to supply a malicious ONNX model that contains a symlink pointing to a sensitive file, so the threat is primarily to systems that accept untrusted models without proper validation."}}}}, "created": "2026-04-02T07:48:07.997439+00:00", "updated": "2026-04-08T19:57:00.944665+00:00", "vendors": ["onnx", "onnx$PRODUCT$onnx"]}