CVE-2026-27905 Overview
CVE-2026-27905 is a high-severity symlink attack vulnerability in BentoML, a Python library for building online serving systems optimized for AI apps and model inference. The vulnerability exists in the safe_extract_tarfile() function, which fails to properly validate symlink targets during tar file extraction. While the function validates that each tar member's path is within the destination directory, for symlink members it only validates the symlink's own path—not the symlink's target. This oversight allows an attacker to craft a malicious bento or model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem.
Critical Impact
Attackers can achieve arbitrary file write on the host filesystem by exploiting improper symlink validation in BentoML's tar extraction functionality, potentially leading to code execution or system compromise.
Affected Products
- BentoML versions prior to 1.4.36
Discovery Timeline
- 2026-03-03 - CVE-2026-27905 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-27905
Vulnerability Analysis
This vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. The safe_extract_tarfile() function in BentoML was designed to prevent path traversal attacks by validating that extracted file paths remain within the intended destination directory. However, the validation logic contains a critical flaw when handling symbolic links.
The function correctly checks whether the symlink itself would be placed within the extraction directory, but it fails to validate where the symlink actually points. This creates a two-stage attack scenario: first, a malicious tar file creates a symlink pointing to an arbitrary location outside the extraction directory (such as /etc/ or other sensitive system paths), and then a subsequent file in the tar archive writes content through that symlink to the external location.
Root Cause
The root cause is incomplete input validation in the tar extraction logic. When processing tar members of type SYMLINK, the code validates only the member's name (the symlink's location) but does not resolve or validate the linkname attribute (the symlink's target). This allows symlinks to reference absolute paths or relative paths containing ../ sequences that escape the intended extraction boundary.
Attack Vector
The attack requires local access, as an attacker must be able to supply a malicious bento or model tar file to the BentoML system. The attack flow is as follows:
The attacker crafts a malicious tar archive containing two entries: a symlink entry pointing to a target outside the extraction directory (e.g., ./innocent_link -> /etc/cron.d/malicious), followed by a regular file entry with the same name as the symlink (./innocent_link) containing malicious content.
When BentoML processes this tar file using safe_extract_tarfile(), it creates the symlink first, which passes validation because the symlink's own path is within the extraction directory.
When the regular file is extracted, the system follows the symlink and writes the attacker-controlled content to the external target location.
The vulnerability mechanism exploits the order of extraction and the difference between validating a symlink's location versus its target. By carefully constructing the tar archive, an attacker can write arbitrary content to any location writable by the BentoML process. For detailed technical information, refer to the GitHub Security Advisory GHSA-m6w7-qv66-g3mf.
Detection Methods for CVE-2026-27905
Indicators of Compromise
- Unexpected symlinks created in BentoML extraction directories pointing to system-critical paths
- Unexplained modifications to files outside BentoML's working directories, especially in /etc/, /var/, or user home directories
- Suspicious bento or model tar files containing symlink entries with external targets
- File integrity monitoring alerts for sensitive configuration files
Detection Strategies
- Monitor tar extraction operations for symlinks with targets containing ../ or absolute paths
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized writes
- Audit BentoML model and bento imports for suspicious archive contents before extraction
- Review system logs for file creation events in protected directories coinciding with BentoML operations
Monitoring Recommendations
- Enable detailed logging for BentoML model import and extraction operations
- Configure SIEM alerts for file writes to sensitive system paths by the BentoML process
- Implement runtime application self-protection (RASP) to monitor file system operations
- Regularly audit imported bentos and models for unexpected file structures
How to Mitigate CVE-2026-27905
Immediate Actions Required
- Upgrade BentoML to version 1.4.36 or later immediately
- Audit recently imported bentos and models for potential compromise
- Review file system integrity on systems running vulnerable BentoML versions
- Restrict permissions for the BentoML process to limit the impact of arbitrary file writes
Patch Information
BentoML has addressed this vulnerability in version 1.4.36. The fix properly validates symlink targets in addition to symlink paths during tar extraction. The security patch is available via the GitHub commit 4e0eb007765ac04c7924220d643f264715cc9670. Users should upgrade using pip:
pip install --upgrade bentoml>=1.4.36
Workarounds
- If immediate upgrade is not possible, avoid importing bentos or models from untrusted sources
- Implement additional validation of tar archives before allowing BentoML to process them
- Run BentoML in a containerized environment with restricted filesystem access
- Apply the principle of least privilege to the BentoML service account
# Verify your BentoML version
pip show bentoml | grep Version
# Upgrade to patched version
pip install "bentoml>=1.4.36"
# Optional: Run BentoML with restricted filesystem access using a container
# Example Docker run with read-only root filesystem
docker run --read-only --tmpfs /tmp bentoml/bentoml:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
