Description
Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references.
Published: 2026-02-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

Arbitrary file reading is possible when Keras loads a .keras model file that references external datasets via the HDF5 format, allowing a remote attacker to read local files on the system where the model is loaded. This vulnerability stems from insufficient validation of the HDF5 external dataset references, exposing the application to both CWE-200 (information exposure) and CWE-73 (absolute path traversal). The flaw can result in the disclosure of sensitive configuration files, credentials, or source code, severely compromising confidentiality on the affected host.

Affected Systems

Google Keras versions 3.0.0 through 3.13.1 on all supported platforms are affected. Any installation of Keras within these version ranges that uses the default HDF5 model loading mechanism is vulnerable, regardless of the underlying operating system.

Risk and Exploitability

The CVSS score for this vulnerability is 7.1, indicating a high severity. The EPSS score is less than 1%, suggesting a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalogue. The likely attack vector involves an attacker delivering a specially crafted .keras file to the target system—either through a file upload feature or by instrumenting a training or inference pipeline that consumes user-supplied models. Once executed, the vulnerability permits arbitrary local file reads but requires that the application load the malicious model file; no active network exploitation beyond file delivery is necessary.

Generated by OpenCVE AI on April 17, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Keras to version 3.14.0 or later where the HDF5 external dataset vulnerability is fixed.
  • If upgrading is not possible, modify the model loading configuration to disallow external dataset references in HDF5 files or use a trusted parser.
  • Ensure that any .keras files supplied to the application are validated for content and origin, rejecting any containing external dataset references before loading.

Generated by OpenCVE AI on April 17, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gfmx-qqqh-f38q Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration)
Github GHSA Github GHSA GHSA-3m4q-jmj6-r34q Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading
History

Thu, 26 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Keras
Keras keras
CPEs cpe:2.3:a:keras:keras:*:*:*:*:*:*:*:*
Vendors & Products Keras
Keras keras
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Important

Thu, 12 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google keras
Vendors & Products Google
Google keras

Wed, 11 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references.
Title Arbitrary File Read in Keras via HDF5 External Datasets
Weaknesses CWE-200
CWE-73
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Google Keras
Keras Keras
cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-02-12T14:53:02.502Z

Reserved: 2026-01-29T22:48:03.030Z

Link: CVE-2026-1669

cve-icon Vulnrichment

Updated: 2026-02-12T14:52:46.277Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T23:16:03.750

Modified: 2026-02-26T23:23:59.430

Link: CVE-2026-1669

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-11T22:10:10Z

Links: CVE-2026-1669 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:27Z

Weaknesses