CVE-2026-12480: CWE-73 External Control of File Name or Path in keras-team keras-team/keras
Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the `H5IOStore._verify_dataset()` and `file_editor.py` methods, which fail to check the `dataset.is_virtual` property of HDF5 datasets. This allows an attacker to craft a malicious `.keras` model archive or `.h5` weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads the model using `keras.models.load_model()` or `keras.saving.load_model()`, the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1.
AI Analysis
Technical Summary
CVE-2026-12480 is a vulnerability in keras-team/keras affecting versions before 3.12.2 and versions from 3.12.3 up to 3.14.1. The issue arises from incomplete validation in the H5IOStore._verify_dataset() and file_editor.py methods, which do not verify the 'dataset.is_virtual' property of HDF5 datasets. Attackers can exploit this by crafting malicious .keras or .h5 files containing Virtual Datasets (VDS) that reference external HDF5 files on the victim's filesystem. When these models are loaded using keras.models.load_model() or keras.saving.load_model(), the external files are read transparently, potentially disclosing sensitive information. The vulnerability is a form of CWE-73 (External Control of File Name or Path).
Potential Impact
Successful exploitation allows an attacker to cause the victim's Keras environment to read arbitrary external HDF5 files referenced via Virtual Datasets in malicious model files. This leads to information disclosure of local files without the victim's explicit consent. The CVSS 3.0 score is 5.5 (medium severity), reflecting local attack vector with low complexity, no privileges required, user interaction needed, and high confidentiality impact.
Mitigation Recommendations
Fixed versions are 3.12.2 and 3.14.1. Users should upgrade to at least version 3.14.1 to fully remediate the vulnerability. Patch status is not explicitly stated as 'official-fix' or 'temporary-fix' in the vendor advisory, but the description clearly states the issue is fixed in these versions. No other mitigation or workaround is provided.
CVE-2026-12480: CWE-73 External Control of File Name or Path in keras-team keras-team/keras
Description
Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the `H5IOStore._verify_dataset()` and `file_editor.py` methods, which fail to check the `dataset.is_virtual` property of HDF5 datasets. This allows an attacker to craft a malicious `.keras` model archive or `.h5` weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads the model using `keras.models.load_model()` or `keras.saving.load_model()`, the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1.
CVSS v3.0
Score 5.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-12480 is a vulnerability in keras-team/keras affecting versions before 3.12.2 and versions from 3.12.3 up to 3.14.1. The issue arises from incomplete validation in the H5IOStore._verify_dataset() and file_editor.py methods, which do not verify the 'dataset.is_virtual' property of HDF5 datasets. Attackers can exploit this by crafting malicious .keras or .h5 files containing Virtual Datasets (VDS) that reference external HDF5 files on the victim's filesystem. When these models are loaded using keras.models.load_model() or keras.saving.load_model(), the external files are read transparently, potentially disclosing sensitive information. The vulnerability is a form of CWE-73 (External Control of File Name or Path).
Potential Impact
Successful exploitation allows an attacker to cause the victim's Keras environment to read arbitrary external HDF5 files referenced via Virtual Datasets in malicious model files. This leads to information disclosure of local files without the victim's explicit consent. The CVSS 3.0 score is 5.5 (medium severity), reflecting local attack vector with low complexity, no privileges required, user interaction needed, and high confidentiality impact.
Mitigation Recommendations
Fixed versions are 3.12.2 and 3.14.1. Users should upgrade to at least version 3.14.1 to fully remediate the vulnerability. Patch status is not explicitly stated as 'official-fix' or 'temporary-fix' in the vendor advisory, but the description clearly states the issue is fixed in these versions. No other mitigation or workaround is provided.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2026-06-17T00:57:28.799Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a45492827e9c79719d6203b
Added to database: 07/01/2026, 17:06:48 UTC
Last enriched: 07/01/2026, 17:37:28 UTC
Last updated: 07/01/2026, 22:58:31 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.