CVE-2026-27489 Overview
CVE-2026-27489 is a path traversal vulnerability in Open Neural Network Exchange (ONNX), an open standard for machine learning interoperability. Prior to version 1.21.0, attackers can exploit symlink handling to read arbitrary files outside the model or user-provided directory. This vulnerability enables unauthorized access to sensitive system files, potentially exposing credentials, configuration data, and other confidential information.
Critical Impact
Attackers can leverage this path traversal vulnerability to read arbitrary files on the system by crafting malicious ONNX models with symlinks pointing to sensitive directories, potentially leading to information disclosure of credentials and system configurations.
Affected Products
- Open Neural Network Exchange (ONNX) versions prior to 1.21.0
- Applications using ONNX library for ML model loading and processing
- ML pipelines and inference systems that consume untrusted ONNX models
Discovery Timeline
- 2026-04-01 - CVE CVE-2026-27489 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-27489
Vulnerability Analysis
This vulnerability falls under CWE-23 (Relative Path Traversal) and affects how ONNX handles external data file references within ML models. The root cause lies in insufficient validation of symlinks within model directories. When ONNX loads a model with external tensor data, it resolves file paths to locate the data files. However, prior to the fix, the implementation only checked whether the final path component was a symlink, failing to account for symlink traversal through parent directory components.
An attacker can craft a malicious ONNX model containing a path like symlink_subdir/real_file.data where symlink_subdir is a symbolic link pointing to a sensitive directory (e.g., /etc/). The existing is_symlink() check would pass because the final component real_file.data is not itself a symlink, but the resolved path would escape the intended model directory.
Root Cause
The vulnerability stems from incomplete symlink validation in the external data loading mechanism. The original implementation used is_symlink() which only validates the final component of a file path. This approach fails to detect path traversal when symlinks exist in parent directory components of the path. Additionally, the code lacked canonical path containment checks to ensure resolved paths remain within the designated base directory.
Attack Vector
The attack requires network access to deliver a malicious ONNX model to a vulnerable system. An attacker can:
- Create a malicious ONNX model with external data references
- Include symlinks in the model archive pointing to sensitive system directories
- Reference files through these symlinks using paths that bypass the final-component symlink check
- When the victim loads the model, sensitive files are read as "external tensor data"
The following security patch demonstrates the fix implemented in onnx/checker.cc:
data_path_str,
", but it is a symbolic link.");
}
+ // Verify the resolved path stays within the base directory to prevent
+ // path traversal via symlinks in parent directory components.
+ // is_symlink() only checks the final component; a path like
+ // "symlink_subdir/real_file.data" would bypass it.
+ if (data_path_str[0] != '#') {
+ std::error_code ec;
+ auto canonical_base = std::filesystem::weakly_canonical(base_dir_path, ec);
+ if (ec) {
+ fail_check(
+ "Data of TensorProto ( tensor name: ",
+ tensor_name,
+ ") references external data at ",
+ data_path_str,
+ ", but the model directory path could not be resolved.");
+ }
+ auto canonical_data = std::filesystem::weakly_canonical(data_path, ec);
+ if (ec) {
+ fail_check(
+ "Data of TensorProto ( tensor name: ",
+ tensor_name,
+ ") references external data at ",
+ data_path_str,
+ ", but the data path could not be resolved.");
+ }
+ auto canonical_base_native = canonical_base.native();
+ auto canonical_data_native = canonical_data.native();
+ if (!canonical_base_native.empty() && canonical_base_native.back() != std::filesystem::path::preferred_separator) {
Source: GitHub Commit Update
The Python validation function added in onnx/external_data_helper.py implements comprehensive security checks:
self.length = int(self.length)
+def _validate_external_data_path(
+ base_dir: str,
+ data_path: str,
+ tensor_name: str,
+ *,
+ check_exists: bool = True,
+) -> str:
+ """Validate that an external data path is safe to open.
+
+ Performs three security checks:
+ 1. Canonical path containment — resolved path must stay within base_dir.
+ 2. Symlink rejection — final-component symlinks are not allowed.
+ 3. Hardlink count — files with multiple hard links are rejected.
+
+ Args:
+ base_dir: The model base directory that data_path must be contained in.
+ data_path: The external data file path to validate.
+ tensor_name: Tensor name for error messages.
+ check_exists: If True (default), check hardlink count. Set to False
+ for save-side paths where the file may not exist yet.
+
+ Returns:
+ The validated data_path (unchanged).
+
+ Raises:
+ onnx.checker.ValidationError: If any security check fails.
+ """
Source: GitHub Commit Update
Detection Methods for CVE-2026-27489
Indicators of Compromise
- ONNX model files containing symbolic links in their extracted contents
- Model archives with external data references pointing to paths containing .. or absolute paths
- File access attempts to sensitive system files (e.g., /etc/passwd, /etc/shadow, credential files) from ML inference processes
- Unusual file read operations from processes loading ONNX models outside their working directory
Detection Strategies
- Monitor file system access patterns from ML inference applications for reads outside designated model directories
- Implement file integrity monitoring on sensitive system directories to detect unauthorized access
- Deploy application-level logging to track ONNX model loading operations and associated file accesses
- Use SentinelOne's behavioral AI to detect anomalous file access patterns from ML workloads
Monitoring Recommendations
- Enable audit logging for file access operations on systems running ONNX-based inference
- Configure alerts for symlink creation in model staging directories
- Monitor network traffic for delivery of untrusted ONNX model files
- Implement content inspection for ONNX models entering the environment to detect embedded symlinks
How to Mitigate CVE-2026-27489
Immediate Actions Required
- Upgrade ONNX to version 1.21.0 or later immediately across all environments
- Audit existing ONNX models in use for suspicious symlinks or external data references
- Implement input validation for ONNX models from untrusted sources before loading
- Restrict file system permissions for ML inference processes to limit potential impact
Patch Information
The vulnerability has been patched in ONNX version 1.21.0. The fix implements three comprehensive security checks: canonical path containment verification to ensure resolved paths stay within the base directory, symlink rejection for final-component symlinks, and hardlink count validation to reject files with multiple hard links. For detailed patch information, refer to the GitHub Commit and the GitHub Security Advisory GHSA-3r9x-f23j-gc73.
Workarounds
- Run ONNX model loading in sandboxed environments with restricted file system access
- Implement pre-processing validation to scan ONNX models for symlinks before loading
- Use containerization with read-only mounts for sensitive directories to prevent unauthorized access
- Deploy network segmentation to isolate ML inference systems from sensitive data stores
# Configuration example - Upgrade ONNX to patched version
pip install --upgrade onnx>=1.21.0
# Verify installed version
python -c "import onnx; print(onnx.__version__)"
# Scan model directory for symlinks before loading
find /path/to/models -type l -ls
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
