CVE-2026-11816: Path Traversal in keras-team/keras
Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current working directory (CWD) instead of the actual extraction destination. When the process runs with CWD set to `/`, which is common in Docker containers, CI/CD runners, and Jupyter environments, the validation boundary becomes the filesystem root, allowing traversal paths to bypass the security check. Additionally, the zip filter contains a bug that causes an `AttributeError` when a blocked entry is encountered, leading to incomplete extraction. Furthermore, Python 3.11 installations lack the `filter="data"` safety net, leaving them entirely reliant on the flawed CWD-based filter. Exploitation of this vulnerability can result in arbitrary file writes outside the intended extraction directory, enabling attackers to overwrite configuration files, inject malicious code, or corrupt machine learning datasets and pipelines.
Metrics
- CVSS v3.0
- 8.1
- Severity
- HIGH
- Fixed in
- 3.14.0
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A path traversal vulnerability in Keras (versions before 3.14.0) affects the archive extraction utilities in keras/src/utils/file_utils.py. The flaw is reachable over the network without authentication, but requires a victim to interact with a malicious archive, such as opening a crafted model or dataset file. Successful exploitation allows an attacker to write arbitrary files outside the intended extraction directory, overwriting configuration files, injecting malicious code, or corrupting ML datasets and pipelines. A patched-image rebuild at version 3.14.0 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-11816 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Keras as a dependency. Any image carrying a Keras version below 3.14.0 is flagged automatically in both registry scans and CI/CD pipeline checks.
AvailableHarborGuard scores this CVE at 8.1 HIGH using the provided CVSS v3.0 vector and can weight that score further against each customer's per-environment compliance policies (for example, stricter thresholds for production ML serving environments versus development notebooks). Triage results are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableA patched-image rebuild at Keras 3.14.0 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker delivers the malicious archive over the network, so the affected service or user must be reachable from the attacker's network position.
- AuthenticationNot required
No credentials are needed; any unauthenticated party who can supply an archive to the target process can attempt exploitation.
- Victim interactionRequired
A user or automated pipeline must open or extract the attacker-crafted archive file, making this a social-engineering or supply-chain delivery vector.
- Attack complexityDetail
Exploit conditions are reliable and require no special race conditions or environmental tuning; any Keras environment running with CWD set to / (common in Docker, CI/CD, and Jupyter) is straightforwardly affected.
Blast Radius
- Attacker writes arbitrary files outside the intended extraction directory, overwriting configuration files such as credentials, service configs, or SSH authorized keys.
- Attacker injects malicious code into Python packages, startup scripts, or model definition files already present on the filesystem.
- Attacker corrupts or replaces ML datasets and pipeline artifacts, causing silent misbehavior in trained models or data preprocessing steps.
- Confidentiality and integrity of the host filesystem are both compromised; the CVSS vector rates both C and I as High with no availability impact.
How HarborGuard Handles This
Available on HarborGuard: any image containing Keras below 3.14.0 is matched against CVE-2026-11816 within minutes of the CVE appearing in upstream feeds, covering both pulled base images and custom-built images that vendor Keras directly. The fix is a concrete upstream release (3.14.0), so a patched-image rebuild is available immediately for affected environments. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at 3.14.0, runs a regression test pass against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or environment sensitivity requires manual review before merging, the PR and regression results are staged and waiting. Given the specific risk to environments where CWD is the filesystem root (Docker containers, CI/CD runners, Jupyter servers), customers who cannot patch immediately should consider restricting which users or services are permitted to trigger archive extraction, and applying network policy controls to limit untrusted archive ingestion paths until the rebuild is deployed.
Fix available
- keras-team / keras-team/keras< 3.14.0 (from unspecified)
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N