CVE-2026-27905
Received Received - Intake
Arbitrary File Write via Symlink in BentoML Tar Extraction

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27905
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bentoml bentoml to 1.4.36 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the BentoML Python library versions prior to 1.4.36. The issue is in the safe_extract_tarfile() function, which is designed to safely extract tar files by ensuring that each file's path stays within the intended extraction directory. However, for symbolic link (symlink) members, the function only checks the symlink's own path and not the path of the target the symlink points to.

An attacker can exploit this by creating a malicious tar file that contains a symlink pointing outside the extraction directory, followed by a regular file that writes through this symlink. This allows the attacker to write arbitrary files anywhere on the host filesystem during extraction.

This vulnerability is fixed in BentoML version 1.4.36.

Impact Analysis

This vulnerability can lead to arbitrary file write on the host filesystem when extracting a malicious tar file using vulnerable versions of BentoML. An attacker could overwrite or create files outside the intended directory, potentially leading to unauthorized modification of system files, configuration files, or application data.

Such unauthorized file writes can be used to escalate privileges, execute malicious code, disrupt services, or compromise the integrity and availability of the system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade BentoML to version 1.4.36 or later, where the issue with safe_extract_tarfile() handling of symlinks has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27905. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart