ASR AI Security Radar
Methodology Recent Incidents Get Notified

Back to incidents

AI security incident: Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loadi...

Incident date: February 18, 2026 | Published: February 25, 2026 | Source: GitHub Security Advisory | Classification confidence: 78%

This incident is part of the public archive and includes explicit AI-related signals from the cited source material. Review methodology.

Summary TensorFlow / Keras continues to honor HDF5 “external storage” and ExternalLink features when loading weights. A malicious .weights.h5 (or a .keras archive embedding such weights) can direct load_weights() to read from an arbitrary readable filesystem path. The bytes pulled from that path populate model tensors and become observable through inference or subsequent re-save operations. Keras “safe mode” only guards object deserialization and does not cover weight I/O, so this behaviour persists even with safe mode enabled. The issue is confirmed on the latest publicly released stack ( tensorflow 2.20.0 , keras 3.11.3 , h5py 3.15.1 , numpy 2.3.4 ).

Why This Is AI-Related

This page is treated as AI-specific because the source material references keras, which places the issue inside an AI workflow, model, assistant, or supporting dependency rather than a generic software bulletin.

  • keras

Affected Workflow

Model registries, artifact scanners, notebook workflows, and CI/CD steps that handle model files need immediate review.

Likely Attack Path

The malicious payload is embedded in model artifacts or serialized objects, then executes or bypasses scanning during load and inspection.

Impact

The advisory affects model artifacts or serialized AI assets, which can bypass inspection or execute during load and validation steps. Severity HIGH. Classification confidence 78%. Source channel GHSA.

Detection And Triage Signals

  • New or unsigned model artifacts entering the registry
  • Scanner output gaps for pickle or custom model formats
  • Unexpected code paths during model loading or validation jobs

Recommended Response

  • Inventory model artifacts, serialized objects, and scanners that touch the affected package or workflow.
  • Block untrusted model files and revalidate registry, CI, or notebook loading paths before restoring normal operation.
  • Review artifact provenance, scanner output, and recent model-ingestion activity for suspicious changes.

Compliance And Business Impact

Model artifact compromise undermines trust in the training and deployment chain and can create stealthy persistence in ML workflows.

Sources

Want alerts like this in real time?

Get notified with incident context, likely impact, and response guidance.

Get Notified

More incidents