anonhaven
Ad

CVE-2026-34445

HIGH CVSS 3.1: 8.6 EPSS 0.14%
Updated Apr 03, 2026
Python
Parameter Value
CVSS 8.6 (HIGH)
Fixed In 1.21.0
Type CWE-400 (Uncontrolled Resource Consumption), CWE-915, CWE-20 (Improper Input Validation)
Vendor Python
Public PoC No

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid.

Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-400 Uncontrolled Resource Consumption
CWE-915
CWE-20 Improper Input Validation

References 3

https://github.com/onnx/onnx/commit/e30c6935d67cc3eca2fa284e37248e7c0036c46b
security-advisories@github.com
https://github.com/onnx/onnx/pull/7751
security-advisories@github.com
https://github.com/onnx/onnx/security/advisories/GHSA-538c-55jv-c5g9
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-40260

Python

6.9

CVE-2026-40947

Python

2.9

CVE-2026-40192

Python

8.7

CVE-2026-40683

Python

7.7

CVE-2026-5713

Python

5.3