Cyber Resilience

CVE-2026-1669

High

Published: 11 February 2026

Published
11 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1669 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Keras Keras. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Deep Learning Frameworks; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1669 is an arbitrary file read vulnerability in the model loading mechanism, specifically the HDF5 integration, affecting Keras versions 3.0.0 through 3.13.1 on all supported platforms. Published on 2026-02-11, the flaw enables a remote attacker to read local files and disclose sensitive information via a crafted .keras model file that utilizes HDF5 external dataset references. It is associated with CWEs-73 (External Control of File Name or Path) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A remote attacker can exploit this vulnerability without privileges, over the network, with low attack complexity and no user interaction required. By tricking a victim into loading a malicious .keras model file—such as through shared repositories, downloads, or collaborative ML workflows—the attacker achieves arbitrary local file reads, potentially exposing sensitive data like configuration files, credentials, or proprietary datasets.

Mitigation details and further guidance are available in the advisory from Google Security Research at https://github.com/google/security-research/security/advisories.

EU & UK References

Vulnerability details

Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5…

more

external dataset references.

CWE(s)

AI Security AnalysisAI

AI Category
Deep Learning Frameworks
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: keras

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Arbitrary local file read via crafted model directly enables Data from Local System (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0897Same product: Keras Keras
CVE-2025-1550Same product: Keras Keras
CVE-2025-24263Shared CWE-200
CVE-2025-30424Shared CWE-200
CVE-2024-56443Shared CWE-200
CVE-2025-31183Shared CWE-200
CVE-2025-24246Shared CWE-200
CVE-2025-24204Shared CWE-200
CVE-2026-0905Shared CWE-200
CVE-2026-48920Shared CWE-73

Affected Assets

keras
keras
3.0.0 — 3.13.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Rejects or sanitizes untrusted .keras/HDF5 model files containing external dataset references before they are processed by the loader.

prevent

Enforces that the model-loading process may only access files explicitly permitted by policy, blocking arbitrary local-file reads via crafted external references.

prevent

Requires cryptographic or integrity verification of model files prior to loading, preventing use of attacker-supplied .keras files that exploit HDF5 external references.

References