Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outsid

Description

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0.

Affected Products

Vendor	Product	Versions
onnx	onnx	pip/onnx: <= 1.20.0

References

https://github.com/onnx/onnx/security/advisories/GHSA-3r9x-f23j-gc73(x_refsource_CONFIRM)
https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB7d ago

CVE-2026-27489 | onnx up to 1.20.x path traversal (GHSA-3r9x-f23j-gc73)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

onnx@1.21.0

CWECWE-23, CWE-61

PublishedApr 1, 2026

Last enriched7d agov2

Trending Score9

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (2)

Version History

Last enriched 7d ago

v2Tier C7d ago

Updated vendor and product to 'onnx', added affected version '1.20.x', changed severity to 'HIGH', and noted that the vulnerability is actively exploited.

vendorproductaffectedVersionspatchAvailable

via VulDB

v17d ago

Initial creation