Path Traversal in keras-team/keras
Summary
| CVE | CVE-2026-11816 |
|---|---|
| State | PUBLISHED |
| Assigner | @huntr_ai |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-11 14:16:26 UTC |
| Updated | 2026-07-01 13:54:11 UTC |
| Description | Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current working directory (CWD) instead of the actual extraction destination. When the process runs with CWD set to `/`, which is common in Docker containers, CI/CD runners, and Jupyter environments, the validation boundary becomes the filesystem root, allowing traversal paths to bypass the security check. Additionally, the zip filter contains a bug that causes an `AttributeError` when a blocked entry is encountered, leading to incomplete extraction. Furthermore, Python 3.11 installations lack the `filter="data"` safety net, leaving them entirely reliant on the flawed CWD-based filter. Exploitation of this vulnerability can result in arbitrary file writes outside the intended extraction directory, enabling attackers to overwrite configuration files, inject malicious code, or corrupt machine learning datasets and pipelines. |
Risk And Classification
Primary CVSS: v3.1 8.1 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS: 0.005180000 probability, percentile 0.402150000 (date 2026-07-04)
Problem Types: CWE-22 | CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| 3.0 | [email protected] | Secondary | 8.1 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| 3.0 | CNA | DECLARED | 8.1 | HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS v3.0 Breakdown
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Keras-team | Keras-team/keras | affected unspecified 3.14.0 custom | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-11816 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Mitigation, Third Party Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-11816.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | Third Party Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | Third Party Advisory |
| github.com/keras-team/keras/commit/2465b6657b02c8eed308759b7e800e295ae01888 | [email protected] | github.com | Patch |
| huntr.com/bounties/a07e3983-7158-4419-af2b-38f1dea01a4f | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | huntr.com | Exploit, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-11T15:01:09.030Z | Reported to Red Hat. |
| ADP | 2026-06-11T13:31:52.492Z | Made public. |
Workarounds
ADP: To mitigate this issue, avoid extracting archives from untrusted sources. When archive extraction is necessary, ensure that the operation is performed within a dedicated, restricted directory by explicitly changing the current working directory to a non-root, isolated location before extraction. This limits the potential impact of arbitrary file writes.