CVE-2026-27905
Published: 03 March 2026
Summary
CVE-2026-27905 is a high-severity Link Following (CWE-59) vulnerability in Bentoml Bentoml. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Machine Learning Libraries.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and patching of the BentoML tar extraction flaw fixed in version 1.4.36.
Mandates validation of tar file inputs to check symlink targets and prevent traversal outside the extraction directory.
Limits damage from arbitrary file writes by enforcing least privilege on the BentoML serving process accessing the host filesystem.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file write via malicious tar (symlink traversal) directly enables writing Python payloads for execution (T1059.006) and requires user interaction with a crafted model/bento file (T1204.002).
NVD Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only…
more
validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.
Deeper analysisAI
CVE-2026-27905 is a vulnerability in BentoML, a Python library for building online serving systems optimized for AI applications and model inference. In versions prior to 1.4.36, the safe_extract_tarfile() function performs path validation to ensure tar members stay within the destination directory, but it only checks the symlink's own path for symlink members, neglecting the symlink's target path. This flaw, classified as CWE-59 (Improper Link Resolution Before File Access), enables symlink traversal during tar extraction.
Exploitation requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), as reflected in its CVSS v3.1 base score of 7.8 (S:U/C:H/I:H/A:H). An attacker can craft a malicious bento or model tar file containing a symlink that points outside the extraction directory, followed by a regular file whose contents are written through the symlink. This achieves arbitrary file writes on the host filesystem.
The issue was addressed in BentoML 1.4.36. Mitigation involves updating to this version or later. Details on the patch are provided in the BentoML GitHub commit (https://github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670) and security advisory (https://github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf).
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai