1. Executive Summary A critical security control bypass in the ONNX (Open Neural Network Exchange) Python library allows the onnx.hub.load() function's silent=True parameter to suppress all trust verification warnings and user confirmation prompts, enabling silent loading of models from untrusted repositories (NVD, GHSA-hqmj-h5c6-369m ). NIST assigns a Primary CVSS 3.1 score of 9.1 critical (NVD); all ONNX versions up to and including 1.20.1 are affected and no patched version is available ( GHSA-hqmj-h5c6-369m ). Organisations using onnx.hub.load() with silent=True , a pattern common in non-interactive pipelines (RAXE assessment), should audit their codebases immediately and remove the silent=True parameter to restore trust verification prompts. 2. Risk Rating Dimension Rating Detail Severity Critical (NIST Primary) CVSS 3.1 base score 9.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD) Urgency High No patched version available; public PoC exists ( GHSA-hqmj-h5c6-369m ) Scope Medium ONNX is a foundational ML interchange format; exposure depends on silent=True usage in model loading pipelines (RAXE assessment) Confidence High CVE in Analyzed status at NVD with NIST Primary scoring; vendor advisory from ONNX project; public PoC from credited researcher (NVD, GHSA-hqmj-h5c6-369m ) Business Impact High Silent supply chain compromise of ML inference pipelines; no user-visible indicator of exploitation (RAXE assessment) CVSS Divergence Note Two CVSS 3.1 scores are published for this CVE (NVD): Source Type Score Severity Vector NIST Primary 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N GitHub (CNA) Secondary 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N The scores diverge on two dimensions: Integrity Impact: NIST rates Integrity as High ( I:H ), reflecting the ability to silently substitute legitimate models with malicious ones. GitHub rates Integrity as None ( I:N ), scoping the assessed impact to confidentiality only (NVD). Scope: NIST rates Scope as Unchanged ( S:U ); GitHub rates Scope as Changed ( S:C ), indicating the CNA considers impact to extend beyond the vulnerable component's security authority (NVD). RAXE reporting uses the NIST Primary score of 9.1 critical for severity language, as NIST is the authoritative scoring source for NVD entries and the integrity impact reflects the practical ability to substitute model artefacts in the supply chain (RAXE assessment). 3. Affected Products Product Vendor Registry Affected Versions Fixed Version Status ONNX Linux Foundation PyPI ( onnx ) <= 1.20.1 None available Unpatched Source: GHSA-hqmj-h5c6-369m , NVD CPE cpe:2.3:a:linuxfoundation:onnx:*:*:*:*:*:*:*:* (NVD). Am I Affected? Check if your codebase or dependencies include the onnx package: pip show onnx Check your installed version: python3 -c "import onnx; print(onnx.__version__)" : any version up to and including 1.20.1 is vulnerable Search for silent=True usage in ONNX Hub loading calls: grep -r "hub\.load\|hub\.download_model_with_test_data\|hub\.load_composite_model" . | grep "silent.*True" Highest risk: silent=True combined with a non-official or attacker-controllable repo= parameter (i.e., anything other than the default onnx/models repository). This combination silently loads models from untrusted sources with no verification prompt. Lower risk (still affected): silent=True with the default onnx/models repository. This disables the trust verification prompt but relies on the official repository not being compromised. The underlying SHA256 manifest weakness (Section 7.2) still applies. If silent=True is found without an explicit repo= parameter pointing to a trusted source, audit whether the repository value could be influenced by user input, environment variables, or configuration files (RAXE assessment) 4. Abstract CVE-2026-28500 is a security control bypass in the ONNX Python library affecting all versions up to and including 1.20.1 ( GHSA-hqmj-h5c6-369m ). The vulnerability resides in onnx/hub.py , where the trust verification logic for model repository sources uses short-circuit evaluation that is entirely defeated by the silent=True parameter ( GHSA-hqmj-h5c6-369m ). When a developer passes silent=True to onnx.hub.load() , the function proceeds to load models from any repository, including attacker-controlled ones, without displaying any warning or requesting user confirmation ( GHSA-hqmj-h5c6-369m ). A secondary weakness compounds this: the SHA256 integrity check validates model files against a manifest fetched from the same repository, meaning an attacker who controls the repository also controls the manifest ( GHSA-hqmj-h5c6-369m ). No patched version is available at the time of writing ( GHSA-hqmj-h5c6-369m ). NVD assigns three CWEs: CWE-345 (Insufficient Verification of Data Authenticity), CWE-494 (Download of Code Without Integrity Check), and CWE-693 (Protection Mechanism Failure) (NVD). 5. Key Findings Silent trust verification bypass. The silent=True parameter i...