Path Traversal Vulnerability in Keras by Keras Team
CVE-2026-11816
What is CVE-2026-11816?
The vulnerability in Keras arises from inadequate validation of archive member paths during extraction processes. Specifically, in versions prior to 3.14.0, the functions responsible for filtering, filter_safe_tarinfos() and filter_safe_zipinfos(), incorrectly validate paths against the current working directory (CWD), particularly problematic when the CWD is set to /—a common configuration in environments such as Docker containers and CI/CD pipelines. This flaw allows attackers to exploit directory traversal paths, potentially leading to the unauthorized writing of files outside intended directories. Moreover, an existing bug in the zip filter can trigger an AttributeError if it encounters a blocked entry, resulting in incomplete extractions. Notably, systems using Python 3.11 may face heightened vulnerability due to the absence of essential safety filters, making the flawed CWD filter the primary boundary for entries. Consequently, successful exploitation may enable malicious activities, including overwriting configuration files and injecting harmful code into machine learning pipelines.
Affected Version(s)
keras-team/keras < 3.14.0
