CVE-2026-27905
Received Received - Intake
Arbitrary File Write via Symlink in BentoML Tar Extraction

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-05-07
AI Q&A
2026-03-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27905
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bentoml bentoml to 1.4.36 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the BentoML Python library versions prior to 1.4.36. The issue is in the safe_extract_tarfile() function, which is designed to safely extract tar files by ensuring that each file's path stays within the intended extraction directory. However, for symbolic link (symlink) members, the function only checks the symlink's own path and not the path of the target the symlink points to.

An attacker can exploit this by creating a malicious tar file that contains a symlink pointing outside the extraction directory, followed by a regular file that writes through this symlink. This allows the attacker to write arbitrary files anywhere on the host filesystem during extraction.

This vulnerability is fixed in BentoML version 1.4.36.


How can this vulnerability impact me? :

This vulnerability can lead to arbitrary file write on the host filesystem when extracting a malicious tar file using vulnerable versions of BentoML. An attacker could overwrite or create files outside the intended directory, potentially leading to unauthorized modification of system files, configuration files, or application data.

Such unauthorized file writes can be used to escalate privileges, execute malicious code, disrupt services, or compromise the integrity and availability of the system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade BentoML to version 1.4.36 or later, where the issue with safe_extract_tarfile() handling of symlinks has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart