{"id":"GHSA-cmw6-hcpp-c6jp","summary":"ONNX: Arbitrary File Read via ExternalData Hardlink Bypass in ONNX load","details":"### Summary\nThe issue is in `onnx.load` — the code checks for symlinks to prevent path traversal, but completely misses hardlinks, which is the problem, since a hardlink looks exactly like a regular file on the filesystem.\n\n### The Real Problem\nThe validator in `onnx/checker.cc` only calls `is_symlink()` and never checks the inode or `st_nlink`, so a hardlink walks right through every security check without any issues.\n\n### Impact\nEspecially dangerous in AI supply chain scenarios like HuggingFace — a single malicious model is enough to silently steal secrets from the victim's machine without them noticing anything.","aliases":["CVE-2026-34446"],"modified":"2026-04-04T00:14:20.384367331Z","published":"2026-04-01T21:13:37Z","related":["CGA-gj88-qj5p-j3qr"],"database_specific":{"severity":"MODERATE","nvd_published_at":"2026-04-01T18:16:30Z","github_reviewed":true,"github_reviewed_at":"2026-04-01T21:13:37Z","cwe_ids":["CWE-22","CWE-61"]},"references":[{"type":"WEB","url":"https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34446"},{"type":"WEB","url":"https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb"},{"type":"PACKAGE","url":"https://github.com/onnx/onnx"}],"affected":[{"package":{"name":"onnx","ecosystem":"PyPI","purl":"pkg:pypi/onnx"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.21.0"}]}],"versions":["0.1","0.2","0.2.1","1.0.0","1.0.1","1.1.0","1.1.1","1.1.2","1.10.0","1.10.1","1.10.2","1.11.0","1.12.0","1.13.0","1.13.1","1.14.0","1.14.1","1.15.0","1.16.0","1.16.1","1.16.2","1.17.0","1.18.0","1.19.0","1.19.1","1.19.1rc1","1.2.1","1.2.2","1.2.3","1.20.0","1.20.0rc1","1.20.0rc2","1.20.1","1.20.1rc1","1.21.0rc1","1.21.0rc2","1.21.0rc3","1.21.0rc4","1.3.0","1.4.0","1.4.1","1.5.0","1.6.0","1.7.0","1.8.0","1.8.1","1.9.0"],"database_specific":{"last_known_affected_version_range":"\u003c= 1.20.1","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cmw6-hcpp-c6jp/GHSA-cmw6-hcpp-c6jp.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}