CVE-2026-1669
Published: 11 February 2026
Summary
CVE-2026-1669 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Keras Keras. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-1669 is an arbitrary file read vulnerability in the model loading mechanism, specifically the HDF5 integration, affecting Keras versions 3.0.0 through 3.13.1 on all supported platforms. Published on 2026-02-11, the flaw enables a remote attacker to read local files and disclose sensitive information via a crafted .keras model file that utilizes HDF5 external dataset references. It is associated with CWEs-73 (External Control of File Name or Path) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A remote attacker can exploit this vulnerability without privileges, over the network, with low attack complexity and no user interaction required. By tricking a victim into loading a malicious .keras model file—such as through shared repositories, downloads, or collaborative ML workflows—the attacker achieves arbitrary local file reads, potentially exposing sensitive data like configuration files, credentials, or proprietary datasets.
Mitigation details and further guidance are available in the advisory from Google Security Research at https://github.com/google/security-research/security/advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7036
Vulnerability details
Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5…
more
external dataset references.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Deep Learning Frameworks
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: keras
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary local file read via crafted model directly enables Data from Local System (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Rejects or sanitizes untrusted .keras/HDF5 model files containing external dataset references before they are processed by the loader.
Enforces that the model-loading process may only access files explicitly permitted by policy, blocking arbitrary local-file reads via crafted external references.
Requires cryptographic or integrity verification of model files prior to loading, preventing use of attacker-supplied .keras files that exploit HDF5 external references.