Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
ONNX Model Downloads Can Be Hacked Without Warning
GHSA-hqmj-h5c6-369m
CVE-2026-28500
Summary
A security flaw in ONNX allows hackers to trick users into downloading and running malicious models from untrusted sources without any warnings. This can lead to sensitive information being stolen from the user's system. To protect yourself, ensure that you do not use the silent=True option when loading models with ONNX, and only load models from trusted sources.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | onnx | <= 1.20.1 | – |
Original title
ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack
Original description
### Summary
A security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts.
### The Technical Flaw
The vulnerability is located in onnx/hub.py. The security gate uses a short-circuit evaluation that prioritizes the "silent" preference over the trust requirement:
```Python
if not _verify_repo_ref(repo) and not silent:
# This block (Warning + User Input) is SKIPPED if silent=True
print("The model repo... is not trusted")
if input().lower() != "y":
return None
```
**Key Points of Failure**:
Complete Suppression: If a developer or a third-party library sets silent=True, the application will download and execute models from any attacker-controlled GitHub repository without notifying the user.
**Integrity Verification Bypass**: The SHA256 integrity check validates the model against a manifest file. Since the attacker controls the repository, they also control the manifest, allowing them to provide a "valid" hash for a malicious model.
### Impact
This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities , an attacker can silently exfiltrate sensitive files ( SSH keys, cloud credentials) from the victim's machine the moment the model is loaded.
A security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts.
### The Technical Flaw
The vulnerability is located in onnx/hub.py. The security gate uses a short-circuit evaluation that prioritizes the "silent" preference over the trust requirement:
```Python
if not _verify_repo_ref(repo) and not silent:
# This block (Warning + User Input) is SKIPPED if silent=True
print("The model repo... is not trusted")
if input().lower() != "y":
return None
```
**Key Points of Failure**:
Complete Suppression: If a developer or a third-party library sets silent=True, the application will download and execute models from any attacker-controlled GitHub repository without notifying the user.
**Integrity Verification Bypass**: The SHA256 integrity check validates the model against a manifest file. Since the attacker controls the repository, they also control the manifest, allowing them to provide a "valid" hash for a malicious model.
### Impact
This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities , an attacker can silently exfiltrate sensitive files ( SSH keys, cloud credentials) from the victim's machine the moment the model is loaded.
ghsa CVSS3.1
8.6
Vulnerability type
CWE-345
CWE-494
CWE-693
Protection Mechanism Failure
Published: 16 Mar 2026 · Updated: 16 Mar 2026 · First seen: 16 Mar 2026