External risk intelligence

ONNX onnx.hub.load() Control Bypass Allows Supply-Chain Attacks

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-28500

This vulnerability exists in a machine learning library function used during model loading, typically executed within local development, research, or data science environments. It is a client-side or build-time operation rather than a service exposed to the public internet.

Linuxfoundation Onnx

1.20.1 and earlier

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves the ONNX machine learning interoperability standard. A flaw in how it verifies model sources allows attackers to silently load malicious models that can exfiltrate sensitive files from a user's system. This is a critical risk for supply-chain attacks, as the compromise can occur without user interaction.

  • Malicious models can steal sensitive files silently.
  • Critical for securing the machine learning supply chain.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by tricking a user into loading a specially crafted machine learning model. The `onnx.hub.load()` function, when used with a specific parameter, bypasses security checks, allowing an attacker to silently exfiltrate sensitive files from the user's system as the model loads.

  • No authentication required for entry.
  • Loading a malicious model triggers the vulnerability.
  • Sensitive file exfiltration risk.

Live Threat

Current exploitation, exposure, and threat context

When the `silent=True` parameter is used with `onnx.hub.load()`, security warnings are suppressed. This could allow an attacker to load a malicious model that, when combined with file-system vulnerabilities, silently exfiltrates sensitive files like SSH keys or cloud credentials from a user's machine.

  • Sensitive files could be exfiltrated.
  • Malicious models can be loaded silently.
  • System compromise may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

The ONNX library's `onnx.hub.load()` function contains a critical security bypass vulnerability when the `silent=True` parameter is used. This allows for Zero-Interaction Supply-Chain Attacks, where an attacker can exfiltrate sensitive files from a victim's machine upon model loading, especially when combined with file system vulnerabilities. Teams responsible for machine learning development, data science platforms, or applications utilizing ONNX models should prioritize identifying affected systems. The first practical step involves locating all instances of the vulnerable ONNX version, assessing their network exposure and business criticality, identifying the accountable owner, and then planning remediation based on the identified risk, given that no patched versions are currently available.

  • Machine learning or application owners.
  • Verify model loading and silent parameter use.
  • Plan risk-based mitigation and vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the ONNX software library?

ONNX, or Open Neural Network Exchange, is an open standard designed to help different machine learning tools work together. It allows data scientists and developers to move models between various frameworks and environments. The vulnerable component, onnx.hub.load(), is a function used to fetch and load these pre-trained models into a project.

What does CVE-2026-28500 mean for my code?

This vulnerability is classified as a protection mechanism failure (CWE-693) and improper trust verification. It means the software fails to properly check if a model comes from a legitimate source. By bypassing these checks, the system blindly executes instructions from a potentially malicious model file, which could allow it to access and steal sensitive data from your local computer.

How does an attacker trigger this vulnerability?

The vulnerability is triggered when code calls the onnx.hub.load() function with the 'silent=True' parameter. This parameter is dangerous because it forces the library to ignore security warnings and confirmation prompts. Simply loading a model without this specific 'silent' setting does not trigger the bypass, as the library would otherwise attempt to alert the user about the origin of the model.

Do I need to worry if my code is not internet-facing?

According to Halo Surface Signal, this vulnerability is considered very unlikely to be exploited via the public internet. It primarily affects local development, research, or data science environments where models are loaded. The risk is highest if you are running code that processes untrusted model files, regardless of whether your system is reachable from the outside.

What should I do to secure my environment?

Since there is no patch yet, you should start by auditing your codebase to find where onnx.hub.load() is used. Check if 'silent=True' is present in those calls and remove it to restore security prompts. Additionally, ensure you only load models from trusted, official repositories and verify their integrity before use to prevent unauthorized access to your system files.

References