Cyber Resilience

CVE-2026-28500

HighUpdated

Published: 18 March 2026

Published
18 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0026 16.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28500 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Linuxfoundation Onnx. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Supply Chain Compromise (T1195); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SR-11 (Component Authenticity).

Deeper analysis

CVE-2026-28500 is a security control bypass vulnerability affecting the Open Neural Network Exchange (ONNX), an open standard for machine learning model interoperability. The issue resides in the onnx.hub.load() function in versions up to and including 1.20.1, stemming from improper logic in the repository trust verification mechanism. Although the function normally warns users about loading models from non-official sources, setting the silent=True parameter fully suppresses all security warnings and confirmation prompts, effectively bypassing intended safeguards.

The vulnerability enables exploitation over the network with low attack complexity, requiring no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), earning a score of 8.6. Attackers can leverage it as a vector for zero-interaction supply-chain attacks by hosting malicious models on unofficial repositories. Upon loading a model with silent=True, an attacker could chain this with file-system vulnerabilities to silently exfiltrate sensitive data, such as SSH keys or cloud credentials, from the victim's machine.

Official advisories, including the ONNX security advisory (GHSA-hqmj-h5c6-369m), confirm no patched versions were available as of the CVE's publication on 2026-03-18. Security practitioners should monitor for updates from the ONNX project and avoid using silent=True with untrusted models in the interim.

This flaw highlights supply-chain risks in the AI/ML ecosystem, where model loading functions can serve as high-impact attack surfaces without user awareness. No real-world exploitation has been reported as of publication.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function…

more

is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.

CWE(s)

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: machine learning, neural network, onnx

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195 Supply Chain Compromise Initial Access
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1553 Subvert Trust Controls Defense Impairment
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.
Why these techniques?

Bypasses onnx.hub repository trust verification and warning prompts (via silent=True), directly enabling zero-interaction supply-chain attacks through malicious model loading from unofficial sources; maps to T1195 and sub-techniques for ML dependency compromise plus T1553 for subverting trust controls.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34445Same product: Linuxfoundation Onnx
CVE-2026-27489Same product: Linuxfoundation Onnx
CVE-2025-51480Same product: Linuxfoundation Onnx
CVE-2024-24416Same vendor: Linuxfoundation
CVE-2026-25996Same vendor: Linuxfoundation
CVE-2026-32613Same vendor: Linuxfoundation
CVE-2026-27571Same vendor: Linuxfoundation
CVE-2026-24835Same vendor: Linuxfoundation
CVE-2026-33009Same vendor: Linuxfoundation
CVE-2025-68136Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
onnx
≤ 1.20.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Restricts ML models to those with approved supply chain provenance, directly preventing loading from non-official repositories without trust verification.

prevent

Requires verification of component authenticity prior to use, mitigating silent loading of potentially malicious ONNX models from untrusted sources.

prevent

Mandates cryptographic signature verification on software components like ONNX models before loading, bypassing the vulnerable silent=True parameter's suppression of warnings.

References