Keras has an untrusted deserialization vulnerability

GHSA-4f3f-g24h-fr8m · CVE-2026-1462

Published Apr 13, 2026 · Modified May 18, 2026

Description

A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safe_mode=True. This bypasses the security guarantees of safe_mode and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the from_config() method.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-1462
WEB https://github.com/keras-team/keras/pull/22035
WEB https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f
PACKAGE https://github.com/keras-team/keras
WEB https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes