CVE Catalog

CVE-2026-12480

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile — higher than 3% of all known CVEs

Summary

A vulnerability in Keras versions up to and including 3.13.2 allows arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The issue stems from missing checks of the `dataset.is_virtual` property in `H5IOStore._verify_dataset()` and `file_editor.py` methods. An attacker can craft a malicious `.keras` model or `.h5` weights file with a Virtual Dataset (VDS) referencing external HDF5 files.

Risk Assessment

The risk involves potential disclosure of sensitive data when a victim loads a crafted model using `keras.models.load_model()` or `keras.saving.load_model()`. An attacker can read arbitrary HDF5 files accessible to the user running the process.

Recommendation

Immediately upgrade Keras to version 3.12.2 or 3.14.1, which contain the complete fix. Until upgraded, avoid loading models from untrusted sources.

Original NVD description (English source)

Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the `H5IOStore._verify_dataset()` and `file_editor.py` methods, which fail to check the `dataset.is_virtual` property of HDF5 datasets. This allows an attacker to craft a malicious `.keras` model archive or `.h5` weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads the model using `keras.models.load_model()` or `keras.saving.load_model()`, the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS