PT-2026-55585 · Keras Team · Keras

Published

2026-07-03

·

Updated

2026-07-03

·

CVE-2026-12481

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions keras-team/keras version 3.14.0
Description Improper handling of deserialization in the Lambda layer allows for arbitrary OS-level code execution in the context of the server or user process. The raise for lambda deserialization() function fails to enforce the safe-mode guard when safe mode is set to None, which is the default value when from config() is called outside of a SafeModeScope context. This logic error treats None as False, bypassing the guard and allowing attacker-controlled marshal bytecode to be deserialized. Affected call sites include the keras.layers.deserialize(config) and keras.models.clone model(model) endpoints, as well as any direct invocation of the Lambda.from config(config) function without an enclosing SafeModeScope(True).
Recommendations For version 3.14.0, ensure that Lambda.from config(config) is called within an enclosing SafeModeScope(True) to enforce the safe-mode guard. As a temporary mitigation, restrict the use of the keras.layers.deserialize(config) and keras.models.clone model(model) endpoints when processing untrusted configurations.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12481

Affected Products

Keras