CVE-2026-27905 — HIGH (CVSS 7.8) AI Security Vulnerability

Q: Is CVE-2026-27905 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27905, increasing the risk of exploitation.

Q: How to fix CVE-2026-27905?

1. PATCH: Upgrade BentoML to 1.4.36 across all environments (dev, staging, prod, CI/CD) — this is the only complete fix. 2. INVENTORY: Identify all systems running BentoML using 'pip show bentoml' or equivalent; prioritize internet-facing model servers. 3. MODEL PROVENANCE: Restrict bento/model loading to internal, verified registries; block import of packages from untrusted sources until patched. 4. LEAST PRIVILEGE: Ensure BentoML processes run under dedicated service accounts with minimal filesystem permissions; avoid running as root. 5. DETECTION: Alert on unexpected file creation events outside BentoML's working directories during model loading operations (auditd or equivalent). 6. INTEGRITY: Enforce checksum or signature verification for model artifacts before extraction. 7. CONTAINER HARDENING: Review volume mounts in BentoML containers; remove unnecessary host path mounts that could be targeted.

Q: What systems are affected by CVE-2026-27905?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps pipelines, CI/CD for ML, training pipelines, model registries.

Q: What is the CVSS score for CVE-2026-27905?

CVE-2026-27905 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

CISO Take

Any BentoML deployment below 1.4.36 is vulnerable to arbitrary file write when loading external model or bento packages — patch to 1.4.36 immediately. The realistic attack path is a poisoned model distributed via public registries or third-party vendors; when your MLOps pipeline or a developer loads it, the attacker writes files anywhere on the host filesystem. Treat this as a supply chain risk: verify BentoML versions across all environments and enforce model provenance before deploying.

Risk Assessment

Medium-high risk for organizations running BentoML in production or CI/CD pipelines that consume external models. Although CVSS 7.8 requires local access and user interaction, 'user interaction' in MLOps context means any automated pipeline or developer that imports a malicious bento/model package — a realistic and common workflow. Arbitrary file write on a model server can escalate to full host compromise via cron injection, SSH key planting, or config tampering. AI/ML systems typically run with elevated privileges and broad filesystem access, amplifying impact.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
bentoml	pip	—	No patch
8.6K OpenSSF 6.3 22 dependents Pushed 9d ago 50% patched ~14d to patch Full package profile →
bentoml	pip	< 1.4.36	`1.4.36`
8.6K OpenSSF 6.3 22 dependents Pushed 9d ago 50% patched ~14d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 1% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

7 steps

PATCH

Upgrade BentoML to 1.4.36 across all environments (dev, staging, prod, CI/CD) — this is the only complete fix.
INVENTORY

Identify all systems running BentoML using 'pip show bentoml' or equivalent; prioritize internet-facing model servers.
MODEL PROVENANCE

Restrict bento/model loading to internal, verified registries; block import of packages from untrusted sources until patched.
LEAST PRIVILEGE

Ensure BentoML processes run under dedicated service accounts with minimal filesystem permissions; avoid running as root.
DETECTION

Alert on unexpected file creation events outside BentoML's working directories during model loading operations (auditd or equivalent).
INTEGRITY

Enforce checksum or signature verification for model artifacts before extraction.
CONTAINER HARDENING

Review volume mounts in BentoML containers; remove unnecessary host path mounts that could be targeted.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Framework Agent Model AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity for high-risk AI systems Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.6 - AI supply chain security A.6.2.6 - AI system supply chain security A.8.4 - AI system security controls

NIST AI RMF

GOVERN 6.2 - Policies and procedures for AI supply chain risk management GOVERN-6.1 - Policies for third-party AI risk MANAGE 2.4 - Mechanisms for managing AI risks from third-party dependencies MEASURE-2.6 - Risk measurement and tracking

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-27905?

Any BentoML deployment below 1.4.36 is vulnerable to arbitrary file write when loading external model or bento packages — patch to 1.4.36 immediately. The realistic attack path is a poisoned model distributed via public registries or third-party vendors; when your MLOps pipeline or a developer loads it, the attacker writes files anywhere on the host filesystem. Treat this as a supply chain risk: verify BentoML versions across all environments and enforce model provenance before deploying.

Is CVE-2026-27905 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27905, increasing the risk of exploitation.

How to fix CVE-2026-27905?

1. PATCH: Upgrade BentoML to 1.4.36 across all environments (dev, staging, prod, CI/CD) — this is the only complete fix. 2. INVENTORY: Identify all systems running BentoML using 'pip show bentoml' or equivalent; prioritize internet-facing model servers. 3. MODEL PROVENANCE: Restrict bento/model loading to internal, verified registries; block import of packages from untrusted sources until patched. 4. LEAST PRIVILEGE: Ensure BentoML processes run under dedicated service accounts with minimal filesystem permissions; avoid running as root. 5. DETECTION: Alert on unexpected file creation events outside BentoML's working directories during model loading operations (auditd or equivalent). 6. INTEGRITY: Enforce checksum or signature verification for model artifacts before extraction. 7. CONTAINER HARDENING: Review volume mounts in BentoML containers; remove unnecessary host path mounts that could be targeted.

What systems are affected by CVE-2026-27905?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps pipelines, CI/CD for ML, training pipelines, model registries.

What is the CVSS score for CVE-2026-27905?

CVE-2026-27905 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.

Exploitation Scenario

An adversary publishes a malicious model to a public registry (e.g., HuggingFace Hub) targeting BentoML users. The bento archive contains: (1) a symlink 'models/config' pointing to '/etc/cron.d', and (2) a regular file 'models/config/pwned' containing a reverse shell cronjob. BentoML's safe_extract_tarfile() validates the symlink's own path as safe but fails to validate the symlink target. During extraction, step 1 creates the symlink pointing outside the extraction root; step 2 writes through it, depositing the reverse shell at /etc/cron.d/pwned. The cron daemon executes the payload within minutes, establishing persistent access to the model server. In CI/CD environments, this could compromise build agents and inject malicious code into downstream model artifacts before they reach production.