CVE-2026-1669

Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/google/security-research/security/advisories	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:keras:keras:*:*:*:*:*:*:*:*

History

26 Feb 2026, 23:23

Type	Values Removed	Values Added
First Time		Keras keras Keras
Summary		(es) Lectura arbitraria de archivos en el mecanismo de carga de modelos (integración HDF5) en las versiones de Keras 3.0.0 a 3.13.1 en todas las plataformas compatibles permite a un atacante remoto leer archivos locales y divulgar información sensible a través de un archivo de modelo .keras manipulado que utiliza referencias de conjuntos de datos externos de HDF5.
References	~~() https://github.com/google/security-research/security/advisories -~~	() https://github.com/google/security-research/security/advisories - Third Party Advisory
CPE		cpe:2.3:a:keras:keras::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

11 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-11 23:16

Updated : 2026-02-26 23:23

NVD link : CVE-2026-1669

Mitre link : CVE-2026-1669

CVE.ORG link : CVE-2026-1669

JSON object : View

Products Affected

keras

keras

CWE

CWE-73

External Control of File Name or Path

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2026-1669", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-11T23:16:03.750", "references": [{"url": "https://github.com/google/security-research/security/advisories", "tags": ["Third Party Advisory"], "source": "cve-coordination@google.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references."}, {"lang": "es", "value": "Lectura arbitraria de archivos en el mecanismo de carga de modelos (integraci\u00f3n HDF5) en las versiones de Keras 3.0.0 a 3.13.1 en todas las plataformas compatibles permite a un atacante remoto leer archivos locales y divulgar informaci\u00f3n sensible a trav\u00e9s de un archivo de modelo .keras manipulado que utiliza referencias de conjuntos de datos externos de HDF5."}], "lastModified": "2026-02-26T23:23:59.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:keras:keras:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F9A0900F-16FA-498D-B7BA-34BC78CA98F7", "versionEndIncluding": "3.13.1", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}