Description
A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method.
Published: 2026-04-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution during model inference
Action: Patch immediately
AI Analysis

Impact

The flaw in the TFSMLayer class of the Keras package allows an attacker to load TensorFlow SavedModels that are fully under the attacker's control when a .keras model is deserialized, even when safe_mode=True. This bypasses the intended safety checks and permits arbitrary code execution during model inference, executing in the context of the victim’s process.

Affected Systems

The vulnerability is present only in the keras package maintained by the keras-team, specifically version 3.13.0. No other vendors or product versions are listed as affected in the CNA data.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. The lack of EPSS data prevents a precise estimate of exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires delivery of a malicious .keras file that the victim loads, which can occur if the victim accepts untrusted models from external sources or a compromised model repository. When exploited, the attacker can execute arbitrary code at the privileges of the inference process.

Generated by OpenCVE AI on April 14, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade keras to a patched release (3.13.1 or newer).
  • Restrict loading of .keras files to trusted sources only and validate file contents prior to deserialization.

Generated by OpenCVE AI on April 14, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4f3f-g24h-fr8m Keras has an untrusted deserialization vulnerability
History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Keras
Keras keras
Vendors & Products Keras
Keras keras

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method.
Title Safe Mode Bypass in keras-team/keras
Weaknesses CWE-502
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Keras Keras
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-04-13T18:53:12.291Z

Reserved: 2026-01-27T04:14:51.848Z

Link: CVE-2026-1462

cve-icon Vulnrichment

Updated: 2026-04-13T18:53:07.966Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T15:17:18.967

Modified: 2026-04-17T15:34:21.867

Link: CVE-2026-1462

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-13T14:55:28Z

Links: CVE-2026-1462 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:15Z

Weaknesses