{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-1462","assignerOrgId":"c09c270a-b464-47c1-9133-acb35b22c19a","state":"PUBLISHED","assignerShortName":"@huntr_ai","dateReserved":"2026-01-27T04:14:51.848Z","datePublished":"2026-04-13T14:55:28.649Z","dateUpdated":"2026-06-30T12:07:10.039Z"},"containers":{"cna":{"title":"Safe Mode Bypass in keras-team/keras","providerMetadata":{"orgId":"c09c270a-b464-47c1-9133-acb35b22c19a","shortName":"@huntr_ai","dateUpdated":"2026-04-13T14:55:28.649Z"},"descriptions":[{"lang":"en","value":"A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method."}],"affected":[{"vendor":"keras-team","product":"keras-team/keras","versions":[{"version":"unspecified","lessThan":"3.13.2","status":"affected","versionType":"custom"}]}],"references":[{"url":"https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c"},{"url":"https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f"}],"metrics":[{"cvssV3_0":{"version":"3.0","attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-502 Deserialization of Untrusted Data","cweId":"CWE-502"}]}],"source":{"advisory":"7e78d6f1-6977-4300-b595-e81bdbda331c","discovery":"EXTERNAL"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-13T18:53:01.058651Z","id":"CVE-2026-1462","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-13T18:53:12.291Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openshift_ai:2.25::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift AI 2.25","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"}],"datePublic":"2026-04-13T14:55:28.649Z","descriptions":[{"lang":"en","value":"A flaw was found in the `keras` package. This vulnerability allows an attacker to execute unauthorized code on a victim's system. It occurs when a victim loads a specially crafted `.keras` model, even if the `safe_mode` security feature is active. The issue arises because the `keras` package can unconditionally load external TensorFlow SavedModels without sufficient validation, thereby bypassing the intended security protections and leading to arbitrary code execution."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-502","description":"Deserialization of Untrusted Data","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-1462"},{"name":"RHBZ#2457856","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2457856"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1462.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24977"}],"solutions":[{"lang":"en","value":"RHSA-2026:24977: Red Hat OpenShift AI 2.25"}],"timeline":[{"lang":"en","time":"2026-04-13T15:02:12.634Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-13T14:55:28.649Z","value":"Made public."}],"title":"keras: Keras: Arbitrary Code Execution Vulnerability Bypassing Safe Mode","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:07:10.039Z"}}]}}