PT-2026-54620 · Keras Team · Keras-Team/Keras

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-12480

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the H5IOStore. verify dataset() and file editor.py methods, which fail to check the dataset.is virtual property of HDF5 datasets. This allows an attacker to craft a malicious .keras model archive or .h5 weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads the model using keras.models.load model() or keras.saving.load model(), the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12480

Affected Products

Keras-Team/Keras