Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-hqmj-h5c6-369m

Опубликовано: 16 мар. 2026
Источник: github
Github: Прошло ревью
CVSS3: 8.6

Описание

ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack

What's the issue

Passing silent=True to onnx.hub.load() kills all trust warnings and user prompts. This means a model can be downloaded from any unverified GitHub repo with zero user awareness.

if not _verify_repo_ref(repo) and not silent: # completely skipped when silent=True print("The model repo... is not trusted") if input().lower() != "y": return None

On top of that, the SHA256 integrity check is useless here — it validates against a manifest that lives in the same repo the attacker controls, so the hash will always match.

Impact

Any pipeline using hub.load() with silent=True and an external repo string is silently loading whatever the repo owner ships. If that model executes arbitrary code on load, the attacker has access to the machine.

Resolved by removing the feature

Ссылки

Пакеты

Наименование

onnx

pip
Затронутые версииВерсия исправления

<= 1.20.1

Отсутствует

EPSS

Процентиль: 1%
0.0001
Низкий

8.6 High

CVSS3

CVE ID

CVE-2026-28500

Дефекты

CWE-345
CWE-494
CWE-693

Связанные уязвимости

ubuntu логотип

CVE-2026-28500

CVSS3: 8.6
ubuntu
10 дней назад

(Open Neural Network Exchange (ONNX) is an open standard for machine le ...)

redhat логотип

CVE-2026-28500

CVSS3: 8.6
redhat
10 дней назад

A flaw was found in Open Neural Network Exchange (ONNX), an open standard for machine learning interoperability. A security control bypass exists in the `onnx.hub.load()` function due to improper logic in its repository trust verification. An attacker can exploit this by providing a malicious model, which, when loaded with the `silent=True` parameter, suppresses all security warnings. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks.

nvd логотип

CVE-2026-28500

CVSS3: 8.6
nvd
10 дней назад

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.

debian логотип

CVE-2026-28500

CVSS3: 8.6
debian
10 дней назад

Open Neural Network Exchange (ONNX) is an open standard for machine le ...

EPSS

Процентиль: 1%
0.0001
Низкий

8.6 High

CVSS3

CVE ID

CVE-2026-28500

Дефекты

CWE-345
CWE-494
CWE-693