CVE-2026-28500

Name of the Vulnerable Software and Affected Versions Open Neural Network Exchange (ONNX) versions through 1.20.1

Description ONNX is an open standard for machine learning interoperability. A security control bypass exists in the onnx.hub.load() function due to flawed repository trust verification logic. The silent=True parameter suppresses security warnings and confirmation prompts, enabling Zero-Interaction Supply-Chain Attacks. When combined with file-system weaknesses, an attacker can silently exfiltrate sensitive files, such as SSH keys and cloud credentials, from a victim's machine when a model is loaded. The vulnerability stems from the short-circuit evaluation in onnx/hub.py, where the silent parameter overrides the trust requirement. The SHA256 integrity check is also susceptible because the attacker controls both the model files and the manifest used for verification.

Recommendations For all versions up to and including 1.20.1, avoid using the silent=True parameter in onnx.hub.load(). As a temporary workaround, consider loading models from local files after manual verification. Compute SHA256 hashes independently instead of relying on the hub manifest. Audit your codebase for usages of silent=True with grep -r "silent.*True" --include="*.py".