CVE-2026-1669: Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading
TensorFlow / Keras continues to honor HDF5 “external storage” and ExternalLink features when loading weights. A malicious .weights.h5 (or a .keras archive embedding such weights) can direct load_weights() to read from an arbitrary readable filesystem path. The bytes pulled from that path populate model tensors and become observable through inference or subsequent re-save operations. Keras “safe mode” only guards object deserialization and does not cover weight I/O, so this behaviour persists even with safe mode enabled. The issue is confirmed on the latest publicly released stack (tensorflow 2.20.0, keras 3.11.3, h5py 3.15.1, numpy 2.3.4).
References
- github.com/advisories/GHSA-3m4q-jmj6-r34q
- github.com/keras-team/keras
- github.com/keras-team/keras/commit/8a37f9dadd8e23fa4ee3f537eeb6413e75d12553
- github.com/keras-team/keras/pull/22057
- github.com/keras-team/keras/releases/tag/v3.12.1
- github.com/keras-team/keras/releases/tag/v3.13.2
- github.com/keras-team/keras/security/advisories/GHSA-3m4q-jmj6-r34q
- nvd.nist.gov/vuln/detail/CVE-2026-1669
Code Behaviors & Features
Detect and mitigate CVE-2026-1669 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →