Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.
Published: 2026-03-03
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file write
Action: Immediate Patch
AI Analysis

Impact

BentoML’s safe_extract_tarfile function is intended to prevent tar extraction from writing files outside the intended destination directory. The function validates only the symlink’s own path, not the target of the link. An attacker who can supply a malicious tar archive can create a symlink that points outside the extraction folder and a regular file that resolves through that symlink, causing an arbitrary file write on the host filesystem. This allows modification or creation of any file on the system where the extraction occurs, potentially compromising application code, configuration, or system binaries.

Affected Systems

The vulnerability affects versions of BentoML older than 1.4.36. The issue is present in all installations that use the safe_extract_tarfile routine before the 1.4.36 release, regardless of deployment environment. Upgrading to version 1.4.36 or later applies the patch that fully validates symlink targets.

Risk and Exploitability

The CVSS score of 8.6 rates this as high severity, and the EPSS score of less than 1 % indicates that exploitation probability is low as of the current data set. The vulnerability is not listed in the CISA KEV catalog. If an attacker can control the content of a tar file that is extracted by BentoML, they can write an arbitrary file through a symlink, making the risk significant while the likelihood of exploitation remains modest. The attack requires the attacker’s input to the tar extraction process; no additional privileges are needed beyond the execution context of the extraction routine.

Generated by OpenCVE AI on April 16, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BentoML to version 1.4.36 or later
  • Ensure that only trusted tar archives are processed by safe_extract_tarfile
  • Run tar extraction commands in a sandboxed or isolated environment to limit the impact of any potential file write

Generated by OpenCVE AI on April 16, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m6w7-qv66-g3mf BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction
History

Thu, 05 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 04 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Bentoml
Bentoml bentoml
Vendors & Products Bentoml
Bentoml bentoml

Tue, 03 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.
Title BentoML has an Arbitrary File Write via Symlink Path Traversal in Tar Extraction
Weaknesses CWE-59
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bentoml Bentoml
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T21:23:39.612Z

Reserved: 2026-02-24T15:19:29.718Z

Link: CVE-2026-27905

cve-icon Vulnrichment

Updated: 2026-03-04T21:23:35.012Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T23:15:55.897

Modified: 2026-03-05T21:04:51.123

Link: CVE-2026-27905

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses