CVE-2026-1462: Keras has an untrusted deserialization vulnerability

April 13, 2026 (updated April 14, 2026)

A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safe_mode=True. This bypasses the security guarantees of safe_mode and enables arbitrary attacker-controlled code execution during model inference under the victim’s privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the from_config() method.

References

github.com/advisories/GHSA-4f3f-g24h-fr8m
github.com/keras-team/keras
github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f
github.com/keras-team/keras/pull/22035
huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c
nvd.nist.gov/vuln/detail/CVE-2026-1462

Code Behaviors & Features

Detect and mitigate CVE-2026-1462 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →