RAXE-2026-039: ONNX Hub Silent Security Warning Bypass Enables Supply Chain Attacks (CVE-2026-28500)

1. Executive Summary

A critical security control bypass in the ONNX (Open Neural Network Exchange) Python library allows the onnx.hub.load() function's silent=True parameter to suppress all trust verification warnings and user confirmation prompts, enabling silent loading of models from untrusted repositories (NVD, GHSA-hqmj-h5c6-369m). NIST assigns a Primary CVSS 3.1 score of 9.1 critical (NVD); all ONNX versions up to and including 1.20.1 are affected and no patched version is available (GHSA-hqmj-h5c6-369m). Organisations using onnx.hub.load() with silent=True, a pattern common in non-interactive pipelines (RAXE assessment), should audit their codebases immediately and remove the silent=True parameter to restore trust verification prompts.

2. Risk Rating

Dimension	Rating	Detail
Severity	Critical (NIST Primary)	`CVSS 3.1` base score 9.1: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` (NVD)
Urgency	High	No patched version available; public PoC exists (`GHSA-hqmj-h5c6-369m`)
Scope	Medium	ONNX is a foundational ML interchange format; exposure depends on `silent=True` usage in model loading pipelines (RAXE assessment)
Confidence	High	CVE in Analyzed status at NVD with NIST Primary scoring; vendor advisory from ONNX project; public PoC from credited researcher (NVD, `GHSA-hqmj-h5c6-369m`)
Business Impact	High	Silent supply chain compromise of ML inference pipelines; no user-visible indicator of exploitation (RAXE assessment)

CVSS Divergence Note

Two CVSS 3.1 scores are published for this CVE (NVD):

Source	Type	Score	Severity	Vector
NIST	Primary	9.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`
GitHub (CNA)	Secondary	8.6	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N`

The scores diverge on two dimensions:

Integrity Impact: NIST rates Integrity as High (I:H), reflecting the ability to silently substitute legitimate models with malicious ones. GitHub rates Integrity as None (I:N), scoping the assessed impact to confidentiality only (NVD).
Scope: NIST rates Scope as Unchanged (S:U); GitHub rates Scope as Changed (S:C), indicating the CNA considers impact to extend beyond the vulnerable component's security authority (NVD).

RAXE reporting uses the NIST Primary score of 9.1 critical for severity language, as NIST is the authoritative scoring source for NVD entries and the integrity impact reflects the practical ability to substitute model artefacts in the supply chain (RAXE assessment).

3. Affected Products

Product	Vendor	Registry	Affected Versions	Fixed Version	Status
ONNX	Linux Foundation	PyPI (`onnx`)	<= 1.20.1	None available	Unpatched

Source: GHSA-hqmj-h5c6-369m, NVD CPE cpe:2.3:a:linuxfoundation:onnx:*:*:*:*:*:*:*:* (NVD).

Am I Affected?

Check if your codebase or dependencies include the onnx package: pip show onnx
Check your installed version: python3 -c "import onnx; print(onnx.__version__)": any version up to and including 1.20.1 is vulnerable
Search for silent=True usage in ONNX Hub loading calls: grep -r "hub\.load\|hub\.download_model_with_test_data\|hub\.load_composite_model" . | grep "silent.*True"
Highest risk: silent=True combined with a non-official or attacker-controllable repo= parameter (i.e., anything other than the default onnx/models repository). This combination silently loads models from untrusted sources with no verification prompt.
Lower risk (still affected): silent=True with the default onnx/models repository. This disables the trust verification prompt but relies on the official repository not being compromised. The underlying SHA256 manifest weakness (Section 7.2) still applies.
If silent=True is found without an explicit repo= parameter pointing to a trusted source, audit whether the repository value could be influenced by user input, environment variables, or configuration files (RAXE assessment)

4. Abstract

CVE-2026-28500 is a security control bypass in the ONNX Python library affecting all versions up to and including 1.20.1 (GHSA-hqmj-h5c6-369m). The vulnerability resides in onnx/hub.py, where the trust verification logic for model repository sources uses short-circuit evaluation that is entirely defeated by the silent=True parameter (GHSA-hqmj-h5c6-369m). When a developer passes silent=True to onnx.hub.load(), the function proceeds to load models from any repository, including attacker-controlled ones, without displaying any warning or requesting user confirmation (GHSA-hqmj-h5c6-369m). A secondary weakness compounds this: the SHA256 integrity check validates model files against a manifest fetched from the same repository, meaning an attacker who controls the repository also controls the manifest (GHSA-hqmj-h5c6-369m). No patched version is available at the time of writing (GHSA-hqmj-h5c6-369m). NVD assigns three CWEs: CWE-345 (Insufficient Verification of Data Authenticity), CWE-494 (Download of Code Without Integrity Check), and CWE-693 (Protection Mechanism Failure) (NVD).

5. Key Findings

Silent trust verification bypass. The silent=True parameter in onnx.hub.load() suppresses all security warnings and user confirmation prompts for untrusted repositories due to flawed short-circuit evaluation in the repository trust check (GHSA-hqmj-h5c6-369m).
Integrity check rendered ineffective. The SHA256 manifest used for model file integrity verification is fetched from the same repository as the model itself. An attacker who controls the repository controls the manifest, enabling them to supply valid hashes for malicious model files (GHSA-hqmj-h5c6-369m).
No patch available. All ONNX versions up to and including 1.20.1 are affected. No patched version has been released, and no vendor timeline for a fix has been published (GHSA-hqmj-h5c6-369m).
Unauthenticated, network-accessible attack. Both NIST and GitHub CNA score the attack vector as Network with no privileges required and no user interaction (PR:N, UI:N), meaning an unauthenticated attacker can exploit this by hosting a malicious model repository (NVD).
Public PoC available. A proof-of-concept demonstrating silent model loading from an attacker-controlled repository has been published by credited researcher ZeroXJacks (ZeroXJacks PoC).
Low EPSS score; early stage. EPSS score is 0.00008 (percentile: 0.64%) as of 2026-03-19 (FIRST.org EPSS). This places the vulnerability in the lowest exploitation probability tier, though EPSS may not yet reflect the public PoC availability (RAXE assessment).

6. Attack Flow

  ATTACKER                         VICTIM PIPELINE
  --------                         ---------------

  [1] Create malicious repository
      containing:
      - Malicious ONNX model file
      - Matching SHA256 manifest
            |
            v
  [2] Publish repo (e.g.,
      attacker-account/
      malicious-models:main)
            |
            |  (victim code references
            |   attacker repo + silent=True)
            v
  [3] Victim calls:                [3a] onnx.hub.load(
      onnx.hub.load(                      "ResNet50",
        "ResNet50",         ---------->    repo=EVIL_REPO,
        repo=EVIL_REPO,                    silent=True
        silent=True                       )
      )
            |
            v
  [4] Trust verification
      in hub.py:
      if not _verify_repo_ref(repo)
         and not silent:
         # WARNING: SKIPPED
         # because silent=True
            |
            v
  [5] SHA256 check validates
      against attacker's own
      manifest: PASSES
            |
            v
  [6] Malicious model loaded
      silently into victim
      application; no warning,
      no prompt, no log entry

Source: Attack flow reconstructed from GHSA-hqmj-h5c6-369m advisory description, ZeroXJacks PoC, and NVD description.

7. Technical Details

7.1 Vulnerable Code Path

The vulnerability resides in onnx/hub.py within the onnx.hub.load() function. The trust verification logic uses a short-circuit conditional (GHSA-hqmj-h5c6-369m):

if not _verify_repo_ref(repo) and not silent:
    print("The model repo... is not trusted")
    if input().lower() != "y":
        return None

When silent=True is passed, Python's short-circuit evaluation means that even if _verify_repo_ref(repo) returns False (indicating an untrusted repository), the compound conditional evaluates to False because not silent is False. The warning message and user confirmation prompt are never executed (GHSA-hqmj-h5c6-369m).

7.2 SHA256 Manifest Weakness

A secondary weakness compounds the silent bypass. The SHA256 integrity check validates model files against a manifest that is fetched from the same repository as the model itself. An attacker who controls the repository also controls the manifest, enabling them to supply valid SHA256 hashes for malicious model files. This renders the integrity verification mechanism ineffective against supply chain attacks targeting this code path (GHSA-hqmj-h5c6-369m).

7.3 CWE Mapping

CWE	Name	Relevance
`CWE-345`	Insufficient Verification of Data Authenticity	Trust verification for repository sources is bypassable via `silent=True` (NVD)
`CWE-494`	Download of Code Without Integrity Check	SHA256 validation against attacker-controlled manifests renders integrity checks ineffective (NVD)
`CWE-693`	Protection Mechanism Failure	The `silent=True` parameter defeats the protection mechanism entirely (NVD)

7.4 Exfiltration Risk

The NVD description notes the potential for "exfiltration of sensitive files like SSH keys and cloud credentials" when the silent bypass is combined with filesystem vulnerabilities in model loading (NVD). The specific mechanism by which a malicious ONNX model achieves code execution or data exfiltration is not elaborated in the public disclosure (RAXE assessment).

8. Confidence & Validation

Assessment Confidence: High

Aspect	Status	Detail
Vendor Advisory	Confirmed	`GHSA-hqmj-h5c6-369m` published by ONNX project maintainers (`GHSA-hqmj-h5c6-369m`)
CVE Assigned	Confirmed	`CVE-2026-28500`, vulnStatus: Analyzed (NVD)
PoC Available	Confirmed	Published by credited researcher ZeroXJacks (ZeroXJacks PoC)
Patch Available	No	No patched version released; no vendor timeline published (`GHSA-hqmj-h5c6-369m`)
Exploited in Wild	Not established	No reports of in-the-wild exploitation identified at time of writing

Limitations

Advisory-based analysis. The conceptual reproduction steps are derived from the GHSA advisory and the ZeroXJacks public PoC. RAXE Labs has not independently executed the PoC in a controlled environment for this finding.
Source code not inspected. The vulnerable code pattern is documented in the GHSA advisory but RAXE Labs has not independently verified it against the current ONNX codebase.
Malicious model payload not detailed. Neither the GHSA advisory nor the ZeroXJacks PoC specifies the exact mechanism by which a malicious ONNX model achieves code execution or data exfiltration.
EPSS is early-stage. The EPSS score (0.00008, percentile 0.64%) may not yet account for public PoC availability (RAXE assessment).

9. Detection Signatures

All detection rules below are classified as Lane 3: Hunting/Heuristic. They detect suspicious patterns consistent with CVE-2026-28500 exposure; they are not based on confirmed indicators from observed in-the-wild exploitation. No in-the-wild exploitation has been reported at time of writing.

9.1 Sigma Rule: ONNX Hub Silent Trust Verification Bypass (ONNX-001)

title: ONNX Hub Model Loading with Silent Trust Verification Bypass
id: abc52e87-ed90-41a4-8cf8-b04d168bc802
status: experimental
description: >
  Detects invocations of onnx.hub.load() or
  onnx.hub.download_model_with_test_data() with the silent=True
  parameter, which suppresses all trust verification warnings and
  user confirmation prompts for untrusted repositories. This is the
  core exploitation condition for CVE-2026-28500
  (GHSA-hqmj-h5c6-369m). Note: onnx.hub.load_composite_model() also
  flows into the vulnerable load() path. Because this rule matches
  the substrings onnx.hub.load and hub.load, it will also match
  load_composite_model() usage as written.
  Classification: Lane 3, Hunting/Heuristic.
  May match legitimate non-interactive pipelines.
author: RAXE Labs
date: 2026/03/20
references:
  - https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m
  - https://nvd.nist.gov/vuln/detail/CVE-2026-28500
  - https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-28500.md
tags:
  - cve.2026.28500
  - attack.initial_access
  - atlas.aml.t0010
logsource:
  category: application
  product: python
detection:
  selection_hub_load:
    script_content|contains:
      - 'onnx.hub.load'
      - 'hub.load'
      - 'onnx.hub.download_model_with_test_data'
      - 'hub.download_model_with_test_data'
  selection_silent_bypass:
    script_content|contains:
      - 'silent=True'
      - 'silent = True'
  condition: selection_hub_load and selection_silent_bypass
level: high
falsepositives:
  - Legitimate CI/CD pipelines using silent=True for non-interactive
    model loading from trusted repositories
  - Automated test suites that suppress interactive prompts
  - Library wrapper code that passes silent=True as a default

9.2 Sigma Rule: ONNX Hub Non-Default Repository (ONNX-002)

title: ONNX Hub Model Loading from Non-Default Repository Source
id: be3b00ab-ce4f-4325-80cd-ee871bf2b690
status: experimental
description: >
  Detects invocations of onnx.hub.load() with a custom repo parameter
  that does not reference the official ONNX Model Zoo (onnx/models).
  CVE-2026-28500 enables silent model loading from untrusted
  repositories when combined with silent=True.
  Classification: Lane 3, Hunting/Heuristic. Organisations may
  legitimately use custom model repositories.
author: RAXE Labs
date: 2026/03/20
references:
  - https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m
  - https://nvd.nist.gov/vuln/detail/CVE-2026-28500
tags:
  - cve.2026.28500
  - attack.initial_access
  - atlas.aml.t0010
logsource:
  category: application
  product: python
detection:
  selection_hub_load:
    script_content|contains:
      - 'onnx.hub.load'
      - 'hub.load'
      - 'onnx.hub.download_model_with_test_data'
      - 'hub.download_model_with_test_data'
  selection_custom_repo:
    script_content|contains:
      - 'repo='
      - 'repo ='
  filter_official_repo:
    script_content|contains:
      - 'onnx/models'
  condition: selection_hub_load and selection_custom_repo and not filter_official_repo
level: medium
falsepositives:
  - Internal model repositories hosted under a different account
  - Third-party model providers with legitimate ONNX repositories
  - Development and testing environments using local repository references

9.3 YARA Rule: ONNX Hub Silent Bypass in Source (ONNX-003)

rule RAXE_2026_039_ONNX_Hub_Silent_Bypass_Source : CVE_2026_28500 supply_chain hunting
{
    meta:
        finding_id   = "RAXE-2026-039"
        title        = "ONNX Hub load() with silent=True Trust Verification Bypass"
        description  = "Detects Python source files containing onnx.hub.load() or onnx.hub.download_model_with_test_data() called with silent=True. Classification: Lane 3, Hunting/Heuristic."
        author       = "RAXE Labs"
        date         = "2026-03-20"
        reference    = "https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m"
        cve          = "CVE-2026-28500"
        severity     = "critical"
        atlas        = "AML.T0010"
        lane         = "3"
        tlp          = "GREEN"

    strings:
        $hub_load_qualified   = "onnx.hub.load" ascii nocase
        $hub_load_unqualified = "hub.load(" ascii nocase
        $hub_download         = "download_model_with_test_data" ascii nocase
        $silent_true_compact  = "silent=True" ascii
        $silent_true_spaced   = "silent = True" ascii
        $import_onnx_hub      = "from onnx import hub" ascii nocase
        $import_onnx          = "import onnx" ascii nocase

    condition:
        uint16(0) != 0x5A4D and
        uint32(0) != 0x464C457F and
        filesize < 1MB and
        (
            ($hub_load_qualified and ($silent_true_compact or $silent_true_spaced))
            or
            ($hub_load_unqualified and ($silent_true_compact or $silent_true_spaced) and ($import_onnx_hub or $import_onnx))
            or
            ($hub_download and ($silent_true_compact or $silent_true_spaced))
        )
}

9.4 YARA Rule: Vulnerable ONNX Version in Dependencies (ONNX-004)

rule RAXE_2026_039_ONNX_Vulnerable_Version_Deps : CVE_2026_28500 supply_chain posture
{
    meta:
        finding_id   = "RAXE-2026-039"
        title        = "ONNX Version Pins and Loose Specifiers in Dependency Manifest (Heuristic)"
        description  = "Detects ONNX package version pins for specific known-vulnerable versions (1.12.x through 1.20.1) and loose specifiers (onnx>= or onnx~=) that may resolve to vulnerable versions. Does not comprehensively detect all possible version specifications <= 1.20.1. Loose specifier matches are heuristic and may produce false positives if the specifier resolves to a future patched version. No patched version available at time of writing. Classification: Lane 3, Posture/Exposure."
        author       = "RAXE Labs"
        date         = "2026-03-20"
        reference    = "https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m"
        cve          = "CVE-2026-28500"
        severity     = "high"
        lane         = "3"
        tlp          = "GREEN"

    strings:
        $onnx_pinned_1201 = "onnx==1.20.1" ascii nocase
        $onnx_pinned_1200 = "onnx==1.20.0" ascii nocase
        $onnx_pinned_119  = "onnx==1.19." ascii nocase
        $onnx_pinned_118  = "onnx==1.18." ascii nocase
        $onnx_pinned_117  = "onnx==1.17." ascii nocase
        $onnx_pinned_116  = "onnx==1.16." ascii nocase
        $onnx_pinned_115  = "onnx==1.15." ascii nocase
        $onnx_pinned_114  = "onnx==1.14." ascii nocase
        $onnx_pinned_113  = "onnx==1.13." ascii nocase
        $onnx_pinned_112  = "onnx==1.12." ascii nocase
        $onnx_gte_loose   = "onnx>=" ascii nocase
        $onnx_compat      = "onnx~=" ascii nocase
        $ctx_requirements  = "requirements" ascii nocase
        $ctx_pip_freeze    = "pip freeze" ascii nocase
        $ctx_pipfile       = "[packages]" ascii nocase
        $ctx_pyproject     = "[project.dependencies]" ascii nocase
        $ctx_setup_cfg     = "[options]" ascii nocase

    condition:
        uint16(0) != 0x5A4D and
        uint32(0) != 0x464C457F and
        filesize < 500KB and
        (
            any of ($onnx_pinned_*)
            or
            (($onnx_gte_loose or $onnx_compat) and any of ($ctx_*))
        )
}

Detection rule caveats: These rules target a known-dangerous API usage pattern and vulnerable dependency versions. They will generate false positives in environments where silent=True is used legitimately with trusted repositories. Tuning guidance: allowlist known-trusted internal ONNX model repository references in ONNX-002. All rules require Python script content logging or source code scanning capability to be effective.

Detection scope caveat: onnx.hub.load_composite_model() is an additional entry point that accepts the same silent=True parameter and is assessed to flow into the vulnerable load() path based on the ONNX Hub API design (RAXE assessment; not independently verified via source code inspection). The current Sigma and YARA rules already match load_composite_model() implicitly because they search for the substrings onnx.hub.load and hub.load, which are prefixes of onnx.hub.load_composite_model(). Organisations using this function should still validate local wrapper code and logging coverage, because these rules remain heuristic source-pattern detections rather than runtime exploit detectors (RAXE assessment).

10. Detection & Mitigation

10.1 Immediate Mitigations (0-7 days)

Remove silent=True from all ONNX Hub loading calls. Audit codebases for invocations of onnx.hub.load(), onnx.hub.download_model_with_test_data(), and onnx.hub.load_composite_model() with silent=True and remove or replace the parameter with silent=False to restore trust verification prompts (RAXE assessment based on GHSA-hqmj-h5c6-369m).
Pin model sources to the official repository. Restrict the repo parameter to the official ONNX Model Zoo (onnx/models) only. Do not allow user-controlled or dynamically resolved repository values (RAXE assessment).

10.2 Short-Term Mitigations (7-30 days)

Implement independent integrity verification. Add SHA256 or cryptographic signature verification outside of ONNX's built-in mechanism, using independently maintained hash manifests not sourced from the model repository itself (RAXE assessment based on GHSA-hqmj-h5c6-369m).
Monitor for upstream patch. Track the ONNX GitHub repository and GHSA-hqmj-h5c6-369m advisory for patch announcements. Plan upgrade testing when a fixed version is released (RAXE assessment).

10.3 Medium-Term Mitigations (30-90 days)

Audit ML model loading patterns broadly. Conduct an assessment of model loading practices across all ML frameworks in use, evaluating whether similar trust verification bypasses exist in other model hub implementations (RAXE assessment).
Deploy detection rules. Implement the Sigma and YARA rules from Section 9, tuned for the local environment, to identify existing silent=True usage and non-standard repository references (RAXE assessment).

11. Indicators of Compromise

Classification: Lane 3, Behavioural indicators. No confirmed in-the-wild exploitation IOCs exist at time of writing. The following are behavioural patterns consistent with exploitation of CVE-2026-28500, derived from the GHSA advisory and ZeroXJacks PoC.

Type	Indicator	Context
Code pattern	`onnx.hub.load(..., silent=True)`	Core exploitation condition: suppresses trust verification (`GHSA-hqmj-h5c6-369m`)
Code pattern	`onnx.hub.download_model_with_test_data(..., silent=True)`	Secondary vulnerable function with same bypass mechanism (`GHSA-hqmj-h5c6-369m`)
Code pattern	`onnx.hub.load_composite_model(..., silent=True)`	Additional entry point that internally calls the vulnerable `load()` path (RAXE assessment)
Code pattern	`repo=` parameter referencing non-`onnx/models` repositories	Supply chain component: model loading from non-official sources (`GHSA-hqmj-h5c6-369m`)
Dependency	`onnx` package version <= `1.20.1` in `requirements.txt`, `Pipfile`, or `pyproject.toml`	All versions up to `1.20.1` are vulnerable; no patched version available (`GHSA-hqmj-h5c6-369m`)
Network	Outbound HTTP(S) requests to non-standard GitHub repositories during model loading operations	Model download from attacker-controlled repository (RAXE assessment)

12. Strategic Context

ML Supply Chain as an Emerging Attack Surface

This vulnerability is part of a broader pattern of supply chain security weaknesses in ML model distribution infrastructure (RAXE assessment). ONNX is a Linux Foundation project that serves as a foundational interchange format for machine learning models across frameworks (RAXE assessment). The onnx.hub module provides convenience APIs for downloading and loading pre-trained models from remote repositories (GHSA-hqmj-h5c6-369m).

Model Provenance and Trust Verification

CVE-2026-28500 highlights a fundamental design weakness: the silent=True parameter was designed for non-interactive use cases (such as CI/CD pipelines and automated workflows) but inadvertently created a mechanism to bypass the only trust verification gate in the model loading path (RAXE assessment based on GHSA-hqmj-h5c6-369m). The secondary SHA256 manifest weakness further compounds this; integrity verification that relies on attacker-controllable manifests provides no security value against supply chain attacks.

MITRE ATLAS Alignment

This finding aligns with MITRE ATLAS techniques (RAXE assessment):

AML.T0010: ML Supply Chain Compromise: Attacker distributes a malicious model through a compromised or impersonated repository, bypassing trust verification.
AML.T0047: ML-Enabled Product/Service: The attack targets the ONNX model loading infrastructure used in ML-enabled products.

No-Patch Implications

The absence of a patched version at the time of writing means that all mitigations are workaround-based (RAXE assessment). Organisations cannot resolve this vulnerability through a simple package upgrade. This increases the operational burden on defenders and extends the window of exposure.