CVE-2026-1669 PUBLISHED

Arbitrary File Read in Keras via HDF5 External Datasets

Assigner: Google
Reserved: 29.01.2026 Published: 11.02.2026 Updated: 12.02.2026

Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Google
Product	Keras
Versions	Default: unaffected affected from 3.0.0 to 3.13.1 (excl.)

Credits

Giuseppe Massaro (https://github.com/N3mes1s) finder

References

https://github.com/google/security-research/security/advisories

Problem Types

CWE-73 External Control of File Name or Path CWE
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE

Impacts

CAPEC-563 Add Malicious File to Shared Webroot
CAPEC-126 Path Traversal