CVE-2026-27905

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670	Patch
https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-03 23:15

Updated : 2026-03-05 21:04

NVD link : CVE-2026-27905

Mitre link : CVE-2026-27905

CVE.ORG link : CVE-2026-27905

JSON object : View

Products Affected

bentoml

bentoml

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

{"id": "CVE-2026-27905", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-03T23:15:55.897", "references": [{"url": "https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-59"}]}], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36."}, {"lang": "es", "value": "BentoML es una librer\u00eda de Python para construir sistemas de servicio en l\u00ednea optimizados para aplicaciones de IA e inferencia de modelos. Antes de la versi\u00f3n 1.4.36, la funci\u00f3n safe_extract_tarfile() valida que la ruta de cada miembro del archivo tar est\u00e9 dentro del directorio de destino, pero para los miembros de enlace simb\u00f3lico solo valida la ruta del propio enlace simb\u00f3lico, no el objetivo del enlace simb\u00f3lico. Un atacante puede crear un archivo tar malicioso bento/model que contenga un enlace simb\u00f3lico que apunte fuera del directorio de extracci\u00f3n, seguido de un archivo regular que escriba a trav\u00e9s del enlace simb\u00f3lico, logrando una escritura de archivo arbitraria en el sistema de archivos del host. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 1.4.36."}], "lastModified": "2026-03-05T21:04:51.123", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDC86E82-4716-43D1-AC14-3934F86B38E8", "versionEndExcluding": "1.4.36"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}