CVE-2026-1462: CWE-502 Deserialization of Untrusted Data in keras-team keras-team/keras
A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method.
AI Analysis
Technical Summary
This vulnerability in keras-team/keras version 3.13.0 involves unsafe deserialization in the TFSMLayer class. Specifically, attacker-controlled TensorFlow SavedModels can be loaded during deserialization of .keras models despite safe_mode=True, which is intended to prevent such unsafe operations. The root cause is the unconditional loading of external SavedModels and the serialization of attacker-controlled file paths without validation in the from_config() method. This flaw enables arbitrary code execution during model inference under the victim's privileges, representing a critical security risk in environments using this package for machine learning model deployment.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code on the victim's system during model inference, potentially leading to full system compromise under the privileges of the user running the keras model. This compromises confidentiality, integrity, and availability of the affected system. The vulnerability bypasses intended safe_mode protections, increasing the risk of exploitation in environments relying on keras for model loading and inference.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch has been published at this time. Until a patch is available, users should avoid loading untrusted or attacker-controlled .keras models and consider restricting model sources to trusted origins. Monitor official keras-team communications for updates on remediation.
CVE-2026-1462: CWE-502 Deserialization of Untrusted Data in keras-team keras-team/keras
Description
A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in keras-team/keras version 3.13.0 involves unsafe deserialization in the TFSMLayer class. Specifically, attacker-controlled TensorFlow SavedModels can be loaded during deserialization of .keras models despite safe_mode=True, which is intended to prevent such unsafe operations. The root cause is the unconditional loading of external SavedModels and the serialization of attacker-controlled file paths without validation in the from_config() method. This flaw enables arbitrary code execution during model inference under the victim's privileges, representing a critical security risk in environments using this package for machine learning model deployment.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code on the victim's system during model inference, potentially leading to full system compromise under the privileges of the user running the keras model. This compromises confidentiality, integrity, and availability of the affected system. The vulnerability bypasses intended safe_mode protections, increasing the risk of exploitation in environments relying on keras for model loading and inference.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch has been published at this time. Until a patch is available, users should avoid loading untrusted or attacker-controlled .keras models and consider restricting model sources to trusted origins. Monitor official keras-team communications for updates on remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2026-01-27T04:14:51.848Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd057082d89c981f016d7f
Added to database: 4/13/2026, 3:02:08 PM
Last enriched: 4/13/2026, 3:31:50 PM
Last updated: 4/14/2026, 9:44:28 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.