EXECUTIVE SUMMARY:
CVE-2026-34445 with a CVSS score of 8.6 is a vulnerability affecting the pip/onnx package, specifically versions less than or equal to 1.20.1. The issue lies in the ExternalDataInfo class, which uses Python's setattr() function to load metadata from an ONNX model file without checking the validity of the "keys" in the file. An attacker can exploit this vulnerability by crafting a malicious ONNX model that overwrites internal object properties, allowing them to crash the server by setting a massive value for the length property, bypass access controls by setting a negative offset, or corrupt objects by injecting "dunder" attributes. This capability enables an attacker to cause a denial-of-service (DoS) or potentially exploit more complex vulnerabilities, resulting in significant business impact and consequences if exploited. The attacker does not require any privileges or user interaction to exploit this vulnerability, which can be accessed through the network.