AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-34446: Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0,

mediumvulnerability

security

Source: NVD/CVE DatabaseApril 1, 2026CVE-2026-34446

Summary

ONNX (Open Neural Network Exchange, a standard format for sharing machine learning models) has a security flaw in versions before 1.21.0 where its file-loading function checks for symlinks (shortcuts to files) but misses hardlinks (alternate names pointing to the same file), allowing attackers to bypass path traversal protections (restrictions that prevent accessing files outside an intended folder).

Solution / Mitigation

Update ONNX to version 1.21.0 or later, where this issue has been patched.

Vulnerability Details

CVSS Score

4.7(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

local

Attack Complexity

high

Privileges Required

none

User Interaction

required

Disclosure Date

April 1, 2026

Classification

Attack Type

Supply Chain

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedFramework

Taxonomy References

CWE (Weakness Type)

CWE-22 CWE-61

CAPEC (Attack Pattern)

CAPEC-126

MITRE ATLAS (AI/ML Threat Technique)

Affected Vendors

Related Issues

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Similar attackTechCrunch

critical

CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose

Similar attackNVD/CVE Database

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-34446

First tracked: April 1, 2026 at 08:08 PM

Classified by LLM (prompt v3) · confidence: 92%