Keras Vulnerability Lets Attackers Execute Code Via SavedModels

The National Vulnerability Database has flagged a critical security flaw in the popular Keras machine learning library. Identified as CVE-2026-1462, this vulnerability resides within the TFSMLayer class of the Keras package, specifically affecting version 3.13.0. The issue allows attackers to bypass safe_mode protections when deserializing .keras models. By crafting malicious TensorFlow SavedModels, an attacker can trick the deserialization process into loading these external models, even when safe_mode is enabled. This bypass ultimately leads to arbitrary code execution on the victim’s system with their privileges during model inference.

The National Vulnerability Database points to flaws in how the from_config() method handles model loading. It appears to unconditionally load external SavedModels and serializes attacker-controlled file paths without proper validation. This oversight creates a dangerous pathway for attackers to inject malicious code, turning a seemingly secure model loading process into a potent attack vector. The reported CVSS score of 8.8 (HIGH) underscores the severity of this vulnerability, highlighting the significant risk it poses to users of affected Keras versions.