Description
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
Published: 2026-03-18
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Silent model loading bypass leading to potential data exfiltration
Action: Mitigate
AI Analysis

Impact

The vulnerability exists in the ONNX library's onnx.hub.load() function. In versions up to 1.20.1 the function's logic that checks whether a model repository is trusted incorrectly allows the warning that normally alerts users when loading a model from a non‑official source to be suppressed if the caller passes silent=True. As a result, a malicious model can be loaded without the user seeing any warning. Together with a filesystem read or write flaw, the attacker could use this silent loading to exfiltrate sensitive files such as SSH keys or cloud credentials. The weakness is reflected in CWE‑345 (Missing Authorization), CWE‑494 (Exposed Functionality), CWE‑693 (Improper Handling of Secrets), and CWE‑829 (Privilege Escalation).

Affected Systems

Affected are the ONNX library supplied by the Linux Foundation, any release version 1.20.1 or earlier. The Common Platform Enumeration for the product is cpe:2.3:a:linuxfoundation:onnx:*:*:*:*:*:*:*:*. No patched release is available at the time of the advisory.

Risk and Exploitability

The issue has a CVSS score of 8.6, indicating high severity. The EPSS score is below 1%, suggesting that widespread exploitation is not yet common. It is not listed in the CISA KeV catalog. Exploitation requires an attacker to cause a program to call onnx.hub.load() with silent=True and provide a model from an untrusted repository. If the victim’s system also contains a file‑system weakness that permits reading of sensitive files, the attacker could combine the two flaws to retrieve such data. The risk therefore increases if an application that automatically loads ONNX models is compromised or if an attacker can supply the model URL.

Generated by OpenCVE AI on March 19, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Do not use silent=True in calls to onnx.hub.load() or remove the parameter entirely.
  • Limit network access for ONNX models to trusted repositories only.
  • Implement code reviews and static analysis to detect suppression of ONNX warnings.
  • Monitor application logs for unexpected calls to onnx.hub.load().
  • Stay updated and apply newer ONNX releases when they become available.

Generated by OpenCVE AI on March 19, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hqmj-h5c6-369m ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack
History

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-829
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 18 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation onnx
CPEs cpe:2.3:a:linuxfoundation:onnx:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation onnx

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Onnx
Onnx onnx
Vendors & Products Onnx
Onnx onnx

Wed, 18 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.
Title ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack
Weaknesses CWE-345
CWE-494
CWE-693
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Linuxfoundation Onnx
Onnx Onnx
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T14:08:50.003Z

Reserved: 2026-02-27T20:57:47.708Z

Link: CVE-2026-28500

cve-icon Vulnrichment

Updated: 2026-03-18T14:08:41.528Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T02:16:24.227

Modified: 2026-03-18T19:47:59.707

Link: CVE-2026-28500

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T01:15:07Z

Links: CVE-2026-28500 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:50Z

Weaknesses