ONNX: Arbitrary File Read via ExternalData Hardlink Bypass in ONNX load

GHSA-cmw6-hcpp-c6jp · CVE-2026-34446

Published Apr 1, 2026 · Modified Apr 4, 2026

Description

Summary

The issue is in onnx.load — the code checks for symlinks to prevent path traversal, but completely misses hardlinks, which is the problem, since a hardlink looks exactly like a regular file on the filesystem.

The Real Problem

The validator in onnx/checker.cc only calls is_symlink() and never checks the inode or st_nlink, so a hardlink walks right through every security check without any issues.

Impact

Especially dangerous in AI supply chain scenarios like HuggingFace — a single malicious model is enough to silently steal secrets from the victim's machine without them noticing anything.

References

WEB https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34446
WEB https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb
PACKAGE https://github.com/onnx/onnx

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes