CVE-2026-28500

CVE-2026-28500 is a security control bypass vulnerability affecting the Open Neural Network Exchange (ONNX), an open standard for machine learning model interoperability. The issue resides in the onnx.hub.load() function in versions up to and including 1.20.1, stemming from improper logic in the repository trust verification mechanism. Although the function normally warns users about loading models from non-official sources, setting the silent=True parameter fully suppresses all security warnings and confirmation prompts, effectively bypassing intended safeguards.

The vulnerability enables exploitation over the network with low attack complexity, requiring no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), earning a score of 8.6. Attackers can leverage it as a vector for zero-interaction supply-chain attacks by hosting malicious models on unofficial repositories. Upon loading a model with silent=True, an attacker could chain this with file-system vulnerabilities to silently exfiltrate sensitive data, such as SSH keys or cloud credentials, from the victim's machine.

Official advisories, including the ONNX security advisory (GHSA-hqmj-h5c6-369m), confirm no patched versions were available as of the CVE's publication on 2026-03-18. Security practitioners should monitor for updates from the ONNX project and avoid using silent=True with untrusted models in the interim.

This flaw highlights supply-chain risks in the AI/ML ecosystem, where model loading functions can serve as high-impact attack surfaces without user awareness. No real-world exploitation has been reported as of publication.