CVE-2026-34447

Name of the Vulnerable Software and Affected Versions ONNX versions prior to 1.21.0

Description ONNX versions prior to 1.21.0 contain a symlink traversal vulnerability in the external data loading process. This flaw allows reading files outside the intended model directory. The vulnerability resides in the resolve external data location function, used via Python onnx.external data helper.load external data for model. The issue arises because the function fails to adequately reject symlinks, allowing a symlink within the model directory to point to a file outside of it. This can lead to arbitrary file read, potentially resulting in a confidentiality breach. A proof of concept (PoC) demonstrates creating a symlink within the model directory that points to a system file, and then successfully reading the contents of that system file through the external data loading mechanism.

Recommendations Update to ONNX version 1.21.0 or later.