Any BentoML deployment below 1.4.36 is vulnerable to arbitrary file write when loading external model or bento packages — patch to 1.4.36 immediately. The realistic attack path is a poisoned model distributed via public registries or third-party vendors; when your MLOps pipeline or a developer loads it, the attacker writes files anywhere on the host filesystem. Treat this as a supply chain risk: verify BentoML versions across all environments and enforce model provenance before deploying.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| bentoml | pip | < 1.4.36 | 1.4.36 |
| bentoml | pip | — | No patch |
| bentoml | pip | — | No patch |
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade BentoML to 1.4.36 across all environments (dev, staging, prod, CI/CD) — this is the only complete fix. 2. INVENTORY: Identify all systems running BentoML using 'pip show bentoml' or equivalent; prioritize internet-facing model servers. 3. MODEL PROVENANCE: Restrict bento/model loading to internal, verified registries; block import of packages from untrusted sources until patched. 4. LEAST PRIVILEGE: Ensure BentoML processes run under dedicated service accounts with minimal filesystem permissions; avoid running as root. 5. DETECTION: Alert on unexpected file creation events outside BentoML's working directories during model loading operations (auditd or equivalent). 6. INTEGRITY: Enforce checksum or signature verification for model artifacts before extraction. 7. CONTAINER HARDENING: Review volume mounts in BentoML containers; remove unnecessary host path mounts that could be targeted.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.
Exploitation Scenario
An adversary publishes a malicious model to a public registry (e.g., HuggingFace Hub) targeting BentoML users. The bento archive contains: (1) a symlink 'models/config' pointing to '/etc/cron.d', and (2) a regular file 'models/config/pwned' containing a reverse shell cronjob. BentoML's safe_extract_tarfile() validates the symlink's own path as safe but fails to validate the symlink target. During extraction, step 1 creates the symlink pointing outside the extraction root; step 2 writes through it, depositing the reverse shell at /etc/cron.d/pwned. The cron daemon executes the payload within minutes, establishing persistent access to the model server. In CI/CD environments, this could compromise build agents and inject malicious code into downstream model artifacts before they reach production.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H References
- github.com/advisories/GHSA-m6w7-qv66-g3mf
- github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670
- github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf
- nvd.nist.gov/vuln/detail/CVE-2026-27905
- github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670 Patch
- github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670 Patch
- github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670 Patch
- github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf Exploit Mitigation Vendor
- github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf Exploit Mitigation Vendor
- github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf Exploit Mitigation Vendor