Cyber Resilience

CVE-2026-27489

HighPublic PoCUpdated

Published: 01 April 2026

Published
01 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27489 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Linuxfoundation Onnx. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Data-Related Vulnerabilities risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27489 is a path traversal vulnerability affecting the Open Neural Network Exchange (ONNX), an open standard for machine learning model interoperability. In versions prior to 1.21.0, the vulnerability enables symlink-based path traversal, allowing attackers to read arbitrary files outside the intended model or user-provided directories. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWEs-23 (Path Traversal) and CWE-61 (Symlink Race Condition).

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. By crafting a malicious ONNX model containing symlinks, an attacker can traverse directory boundaries during model loading or processing, achieving high-impact unauthorized disclosure of sensitive files on the target system.

The vulnerability has been patched in ONNX version 1.21.0. The ONNX GitHub security advisory (GHSA-3r9x-f23j-gc73) and patching commit (4755f8053928dce18a61db8fec71b69c74f786cb) provide further details on the fix, recommending immediate upgrades for affected deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version…

more

1.21.0.

CWE(s)

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: machine learning, neural network, onnx

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in ONNX model loading enables remote unauthenticated exploitation of public-facing applications processing untrusted models (T1190) to achieve arbitrary local file read (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28500Same product: Linuxfoundation Onnx
CVE-2026-34445Same product: Linuxfoundation Onnx
CVE-2025-51480Same product: Linuxfoundation Onnx
CVE-2026-35167Same vendor: Linuxfoundation
CVE-2025-59352Same vendor: Linuxfoundation
CVE-2026-37530Same vendor: Linuxfoundation
CVE-2025-68137Same vendor: Linuxfoundation
CVE-2026-24124Same vendor: Linuxfoundation
CVE-2026-35171Same vendor: Linuxfoundation
CVE-2024-24421Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
onnx
≤ 1.21.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring timely patching to ONNX version 1.21.0 or later.

prevent

Validates ONNX model inputs, including file paths and symlinks, to prevent traversal outside intended directories.

prevent

Enforces least privilege on processes loading ONNX models, limiting access to sensitive files even if traversal occurs.

References