{"id":"CVE-2026-12480","summary":"Arbitrary HDF5 File Read via Virtual Dataset Bypass in keras-team/keras","details":"Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the `H5IOStore._verify_dataset()` and `file_editor.py` methods, which fail to check the `dataset.is_virtual` property of HDF5 datasets. This allows an attacker to craft a malicious `.keras` model archive or `.h5` weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads the model using `keras.models.load_model()` or `keras.saving.load_model()`, the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1.","modified":"2026-07-08T08:12:45.370414590Z","published":"2026-07-01T16:53:32.326Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"fixed":"3.12.2, 3.14.1"}],"source":"AFFECTED_FIELD"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12480.json","cwe_ids":["CWE-73"],"cna_assigner":"@huntr_ai"},"references":[{"type":"WEB","url":"https://huntr.com/bounties/1875d257-5b03-4a69-ac70-e98653fa12c7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12480.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-12480"},{"type":"FIX","url":"https://github.com/keras-team/keras/commit/d5a88bdb137c0d3039b8f4bbbe8c7099925cc10c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/keras-team/keras","events":[{"introduced":"0"},{"fixed":"d5a88bdb137c0d3039b8f4bbbe8c7099925cc10c"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v3.14.0","v3.12.0","v3.11.0","v3.10.0","v3.9.0","v3.8.0","v3.7.0","v3.6.0","v3.5.0","v3.4.1","v3.4.0","v3.3.3","v3.3.2","v3.3.1","v3.3.0","v3.2.1","v3.2.0","v3.1.1","v3.1.0","v3.0.5","v3.0.4","v3.0.3","v3.0.2","v3.0.1","v3.0.0","v2.9.0-rc0","v2.8.0-rc0","v2.7.0-rc0","v2.6.0-rc0","2.4.0","2.3.1","2.3.0","2.2.4","2.2.3","2.2.2","2.2.1","2.2.0","2.1.6","2.1.5","2.1.4","2.1.3","2.1.2","2.1.1","2.1.0","2.0.9","2.0.8","2.0.7","2.0.6","2.0.5","2.0.4","2.0.3","2.0.2","2.0.1","2.0.0","1.2.0","1.1.1","1.1.0","1.0.8","1.0.7","1.0.6","1.0.5","1.0.4","1.0.3","1.0.2","1.0.1","1.0.0","0.3.2","0.3.1","0.3.0","0.2.0","0.1.3","0.1.2","0.1.1","0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12480.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}