Path Traversal Vulnerability in Keras by Keras Team
CVE-2026-11816

8.1HIGH

Key Information:

Vendor

Keras-team

Vendor
CVE Published:
11 June 2026

What is CVE-2026-11816?

The vulnerability in Keras arises from inadequate validation of archive member paths during extraction processes. Specifically, in versions prior to 3.14.0, the functions responsible for filtering, filter_safe_tarinfos() and filter_safe_zipinfos(), incorrectly validate paths against the current working directory (CWD), particularly problematic when the CWD is set to /—a common configuration in environments such as Docker containers and CI/CD pipelines. This flaw allows attackers to exploit directory traversal paths, potentially leading to the unauthorized writing of files outside intended directories. Moreover, an existing bug in the zip filter can trigger an AttributeError if it encounters a blocked entry, resulting in incomplete extractions. Notably, systems using Python 3.11 may face heightened vulnerability due to the absence of essential safety filters, making the flawed CWD filter the primary boundary for entries. Consequently, successful exploitation may enable malicious activities, including overwriting configuration files and injecting harmful code into machine learning pipelines.

Affected Version(s)

keras-team/keras < 3.14.0

References

CVSS V3.0

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.