AI Threat Alert
CVE-2026-1669 is a high-severity arbitrary file read in Keras 3.0.0–3.13.1 that requires no authentication or user interaction to exploit. Any system that loads .keras model files from untrusted sources — model APIs, MLOps pipelines, collaborative ML platforms — is at risk of credential and secrets exposure. Patch to a fixed Keras version immediately and enforce trusted-source-only model loading across all inference and training infrastructure.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| keras | pip | >= 3.13.0, < 3.13.2 | 3.13.2 |
| keras | pip | — | No patch |
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade Keras beyond 3.13.1 to the fixed release as soon as available. Monitor the official Keras changelog and GitHub advisory. 2. WORKAROUND (if patch unavailable): Implement a custom model loading wrapper that strips or rejects HDF5 external dataset references before passing to Keras. 3. MODEL SOURCE CONTROL: Enforce cryptographic signing or hash verification for all model files loaded in production. Reject models from unverified sources at the pipeline ingestion layer. 4. LEAST PRIVILEGE: Run model loading processes with a restricted filesystem view (container with read-only mounts, seccomp profiles) limiting accessible paths. 5. DETECTION: Alert on file read syscalls from Python/ML processes accessing sensitive paths (/etc, ~/.aws, .env, *.pem, *.key) during model loading operations. Deploy eBPF-based runtime monitoring (Falco or similar) on ML inference nodes. 6. AUDIT: Inventory all Keras versions deployed across training, serving, and evaluation environments — include transitive dependencies via pip freeze.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references.
Exploitation Scenario
Adversary crafts a .keras model file embedding HDF5 external dataset references pointing to high-value local paths: /proc/1/environ (environment variables), ~/.aws/credentials, /run/secrets/*, or .env files common in Dockerized ML services. The file is published to a public model hub (e.g., HuggingFace) masquerading as a legitimate fine-tuned model, or submitted via a model evaluation API endpoint. When the target's automated pipeline or ML engineer calls keras.models.load_model() on this file, Keras resolves the external HDF5 references and reads the local files. In an inference API context, the resolved file contents surface in model metadata or error responses, disclosing credentials. An attacker with read access to cloud provider keys achieves full cloud account compromise from a single model file download.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
- github.com/google/security-research/security/advisories 3rd Party
- github.com/advisories/GHSA-3m4q-jmj6-r34q
- github.com/keras-team/keras/commit/8a37f9dadd8e23fa4ee3f537eeb6413e75d12553
- github.com/keras-team/keras/pull/22057
- github.com/keras-team/keras/releases/tag/v3.12.1
- github.com/keras-team/keras/releases/tag/v3.13.2
- github.com/keras-team/keras/security/advisories/GHSA-3m4q-jmj6-r34q
- nvd.nist.gov/vuln/detail/CVE-2026-1669