TensorFlow Security Vulnerabilities in 2026: CVEs, Keras Deserialization, and Supply Chain Risk
A practitioner breakdown of the top tensorflow security vulnerabilities 2026 — CVE-2025-49655 (CVSS 9.8), CVE-2025-12058 (SSRF/file access), DoS flaws in 2.18.0, and CI/CD supply chain compromise.
The tensorflow security vulnerabilities 2026 picture is worse than most ML teams realize: a CVSS 9.8 critical flaw in Keras’s PyTorch deserialization pathway, a pair of DoS bugs in TensorFlow 2.18.0, a file-read and SSRF vector that bypasses safe_mode, and a documented supply chain attack path through Google’s own CI/CD runners — all publicly disclosed within the past eight months. If your team loads pre-trained models from any external source without sandboxing, at least two of these apply to you directly.
Model Deserialization: Three CVEs, One Root Cause
The most exploitable class of TensorFlow and Keras vulnerabilities in 2026 follows a consistent pattern: model loading functions execute code or resolve file paths before security checks run. Three CVEs make this concrete.
CVE-2025-49655 (CVSS 9.8 — Critical) affects Keras versions 3.11.0 through 3.11.2. The TorchModuleWrapper.from_config method calls torch.load() during deserialization without weights_only=True, which internally uses Python’s pickle — a format that executes arbitrary Python bytecode on load. (PyTorch’s own documentation warns that torch.load() defaults to weights_only=False, making any call with an untrusted file path an arbitrary code execution primitive.) An attacker embeds a malicious pickle payload inside a .keras model file. The victim loads it. The payload runs with the victim process’s privileges. Safe mode does not prevent this because the restriction targets Lambda layer bytecode, not the PyTorch wrapper path. Keras 3.11.3 disables torch.load() in safe mode ↗ and raises a ValueError instead. If you run any Keras 3.11.x release below 3.11.3, stop loading external model files until you patch.
CVE-2025-12058 (CVSS 5.9 — Medium) affects Keras 3.11.3 and earlier — meaning the patch for 49655 did not close this one. The StringLookup and IndexLookup preprocessing layers accept vocabulary file paths or URLs as constructor arguments. During deserialization, Keras resolves and opens those paths via tf.io.gfile ↗ before any safe mode validation runs. Attack scenarios include reading SSH keys and cloud credentials from the local filesystem, reaching the AWS metadata endpoint (169.254.169.254) for IAM token theft, and embedding the exfiltration trigger inside a poisoned pre-trained model on a public hub. Keras 3.11.4 is the fix.
The safe_mode bypass class is not a single CVE but a documented research finding from JFrog that predates 49655 and 12058. Starting from CVE-2024-3660 — which showed that Lambda layer deserialization could run arbitrary code — Keras introduced safe_mode=True as a default. JFrog demonstrated that attackers can sidestep this by invoking Keras’s own utility functions (such as keras.utils.get_file) through the Functional API’s Lambda execution path. Before Keras 3.9, external functions like os.system were the payload vehicle. After 3.9, attackers pivoted to built-in Keras functions that write arbitrary files to disk — including SSH authorized keys. The protection model is blocklist-based, which means each patch cycle closes the currently-known bypass, not the class. The correct mitigation is sandboxing model load operations in an isolated container or subprocess ↗, not trusting safe_mode as a security boundary against adversarial model files.
For a running tracker of ML CVEs in this category, ai-alert.org ↗ maintains an index of model-loading and deserialization disclosures across frameworks.
DoS, Supply Chain Compromise, and API-Level Abuse
Beyond deserialization, three additional vectors are active.
CVE-2025-55559 (CVSS 7.5 — High) is a network-reachable denial-of-service in TensorFlow 2.18.0. The tf.keras.layers.Conv2D function with padding='valid' triggers uncontrolled resource consumption. No authentication is required; an attacker who can submit inference requests to a TensorFlow Serving endpoint can exhaust server resources and take it offline. The NVD entry ↗ confirms the CVSS vector as AV:N/AC:L/PR:N/UI:N — about as accessible as remote vulnerabilities get.
Supply chain via CI/CD runners: Praetorian published a full attack chain against TensorFlow’s GitHub Actions infrastructure. Three misconfigurations combined to make official releases tamperable: self-hosted ARM64 build runners were non-ephemeral and reachable by fork PRs without contributor approval; GITHUB_TOKEN held write access to repository contents; and repository secrets including the PyPI upload token were accessible during runner compromise. The attack path: land a trivial PR to establish contributor status, submit a malicious fork PR targeting the self-hosted runner, capture the PyPI token during a legitimate workflow run, upload a backdoored release. Google has since required approval for all fork PRs and restricted token permissions ↗ to read-only on self-hosted runner workflows. This attack was fully demonstrable, not theoretical.
API-level abuse at inference time: January 2026 research (arXiv:2601.04553, accepted to Virus Bulletin 2025) documents a class of attacks where adversarial models embed hidden file I/O and network send/receive operations using legitimate TensorFlow APIs — no Lambda layers, no pickle. The malicious behavior fires during inference, not model load, which means most static scanners miss it entirely. The researchers found that model-hub scanning tools relying on syntactic pattern matching fail to detect these stealthy API chains ↗. Organizations that reuse pre-trained models from TensorFlow Hub or Hugging Face to reduce training costs are the primary target.
For practical coverage of the offensive AI techniques that feed into model poisoning and supply chain attacks, aisec.blog ↗ covers prompt injection, agent exploitation, and related ML attack research.
What Defenders Should Do
Five concrete actions, ordered by impact:
-
Upgrade Keras immediately. Keras 3.11.4 closes both CVE-2025-49655 and CVE-2025-12058. If you run any 3.11.x release below 3.11.4, you are vulnerable to critical-severity deserialization attacks. Check with
pip show keras. -
Never load external model files in your application process. Spawn a subprocess or container with no network access, no filesystem access beyond the model file, and a read-only filesystem. Kill the container after inference returns. Treat
safe_mode=Trueas a defense-in-depth layer, not a security boundary. -
Pin model file hashes in your artifact pipeline. Whether you pull from TensorFlow Hub, Hugging Face, or an internal registry, record the SHA-256 of every model file at validation time and verify it on every load. An attacker who poisons a hub entry after your first pull cannot substitute a malicious version undetected.
-
Audit GitHub Actions runner configuration. If you run self-hosted runners for any Python package, confirm that fork PRs require explicit approval before they access runners, that
GITHUB_TOKENpermissions arecontents: readfor all workflows that touch runners, and that secrets are scoped by environment with a required reviewer gate. The Praetorian attack path is generalizable beyond TensorFlow. -
Scan for inference-time API abuse, not just load-time signatures. Static pattern matching misses the API-abuse class. Consider dynamic sandboxed execution with syscall auditing (seccomp) to detect unexpected file reads or network calls during a model’s inference path before it reaches production.
TensorFlow’s own security policy ↗ defines what constitutes a reportable vulnerability — read it before assuming that model-loading issues outside “safe scenarios” will receive CVE treatment. Report findings through the Google Bug Hunters form.
Sources
- CVE-2025-55559 — TensorFlow 2.18.0 DoS via Conv2D (NVD) ↗ — NVD entry confirming CVSS 7.5 HIGH, network-accessible, unauthenticated.
- CVE-2025-49655 — Critical Keras Deserialization (Wiz) ↗ — Detailed breakdown of the TorchModuleWrapper pickle chain; CVSS 9.8.
- CVE-2025-12058 — Keras SSRF and Arbitrary File Access (Zscaler) ↗ — Zscaler original research on StringLookup/IndexLookup SSRF; fixed in Keras 3.11.4.
- Keras safe_mode Bypass (JFrog) ↗ — Documents the bypass evolution from CVE-2024-3660 through Keras 3.9.
- TensorFlow Supply Chain Compromise via Self-Hosted Runner Attack (Praetorian) ↗ — Full attack chain against TensorFlow’s CI/CD; remediations confirmed by Google.
- Abuse of DL APIs to Create Malicious AI Models (arXiv:2601.04553) ↗ — January 2026 research on inference-time API abuse vectors; accepted Virus Bulletin 2025.
Sources
- CVE-2025-55559 — TensorFlow 2.18.0 DoS via Conv2D (NVD)
- CVE-2025-49655 — Critical Keras Deserialization (Wiz)
- CVE-2025-12058 — Keras SSRF and Arbitrary File Access (Zscaler)
- Keras safe_mode Bypass Vulnerability (JFrog)
- TensorFlow Supply Chain Compromise via Self-Hosted Runner Attack (Praetorian)
- Deep Dive into the Abuse of DL APIs to Create Malicious AI Models (arXiv:2601.04553)
ML CVEs — in your inbox
CVEs in ML libraries, frameworks, and the AI/ML supply chain. — delivered when there's something worth your inbox.
No spam. Unsubscribe anytime.
Related
Best AI Supply Chain Security Tools in 2026
A practitioner's guide to the best AI supply chain security tools: model artifact scanners, MLOps pipeline hardening, AIBOM generators, and what the NSA's
LangChain Security Vulnerabilities 2026: CVEs, Attack Chains, and What to Patch
Four verified CVEs in LangChain and LangGraph expose API secrets, filesystem files, and conversation history. CVSS scores, attack paths, and patch
How to Triage an ML-Stack CVE: A Practical Workflow
A repeatable workflow for taking an ML-library CVE from 'a scanner flagged it' to a defensible decision — without panic-patching everything or trusting