CVE-2026-34447

MEDIUM5.5EPSS 0.01%

ONNX: External Data Symlink Traversal

Published: 4/1/2026Modified: 5/20/2026

Description

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

Affected packages (3)

Debian/onnxfrom 0
PyPI/onnxfrom 0, < 1.21.0
PyPI/onnxfrom 0, < 1.21.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34447
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-34447
PATCHhttps://github.com/onnx/onnx
WEBhttps://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj