CVE-2026-27905: BentoML security flaw enables

Q: Is CVE-2026-27905 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27905, increasing the risk of exploitation.

Q: How to fix CVE-2026-27905?

1. PATCH: Upgrade BentoML to 1.4.36 across all environments (dev, staging, prod, CI/CD) — this is the only complete fix. 2. INVENTORY: Identify all systems running BentoML using 'pip show bentoml' or equivalent; prioritize internet-facing model servers. 3. MODEL PROVENANCE: Restrict bento/model loading to internal, verified registries; block import of packages from untrusted sources until patched. 4. LEAST PRIVILEGE: Ensure BentoML processes run under dedicated service accounts with minimal filesystem permissions; avoid running as root. 5. DETECTION: Alert on unexpected file creation events outside BentoML's working directories during model loading operations (auditd or equivalent). 6. INTEGRITY: Enforce checksum or signature verification for model artifacts before extraction. 7. CONTAINER HARDENING: Review volume mounts in BentoML containers; remove unnecessary host path mounts that could be targeted.

Q: What systems are affected by CVE-2026-27905?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps pipelines, CI/CD for ML, training pipelines, model registries.

Q: What is the CVSS score for CVE-2026-27905?

CVE-2026-27905 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.26%.

CISO Take

Any BentoML deployment below 1.4.36 is vulnerable to arbitrary file write when loading external model or bento packages — patch to 1.4.36 immediately. The realistic attack path is a poisoned model distributed via public registries or third-party vendors; when your MLOps pipeline or a developer loads it, the attacker writes files anywhere on the host filesystem. Treat this as a supply chain risk: verify BentoML versions across all environments and enforce model provenance before deploying.

What is the risk?

Medium-high risk for organizations running BentoML in production or CI/CD pipelines that consume external models. Although CVSS 7.8 requires local access and user interaction, 'user interaction' in MLOps context means any automated pipeline or developer that imports a malicious bento/model package — a realistic and common workflow. Arbitrary file write on a model server can escalate to full host compromise via cron injection, SSH key planting, or config tampering. AI/ML systems typically run with elevated privileges and broad filesystem access, amplifying impact.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
BentoML	pip	—	No patch
8.7K OpenSSF 6.4 21 dependents Pushed 20d ago 55% patched ~14d to patch Full package profile →
BentoML	pip	< 1.4.36	`1.4.36`
8.7K OpenSSF 6.4 21 dependents Pushed 20d ago 55% patched ~14d to patch Full package profile →

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

7 steps

PATCH

Upgrade BentoML to 1.4.36 across all environments (dev, staging, prod, CI/CD) — this is the only complete fix.
INVENTORY

Identify all systems running BentoML using 'pip show bentoml' or equivalent; prioritize internet-facing model servers.
MODEL PROVENANCE

Restrict bento/model loading to internal, verified registries; block import of packages from untrusted sources until patched.
LEAST PRIVILEGE

Ensure BentoML processes run under dedicated service accounts with minimal filesystem permissions; avoid running as root.
DETECTION

Alert on unexpected file creation events outside BentoML's working directories during model loading operations (auditd or equivalent).
INTEGRITY

Enforce checksum or signature verification for model artifacts before extraction.
CONTAINER HARDENING

Review volume mounts in BentoML containers; remove unnecessary host path mounts that could be targeted.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Framework Agent Model AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity for high-risk AI systems Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.6 - AI supply chain security A.6.2.6 - AI system supply chain security A.8.4 - AI system security controls

NIST AI RMF

GOVERN 6.2 - Policies and procedures for AI supply chain risk management GOVERN-6.1 - Policies for third-party AI risk MANAGE 2.4 - Mechanisms for managing AI risks from third-party dependencies MEASURE-2.6 - Risk measurement and tracking

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-27905?

Any BentoML deployment below 1.4.36 is vulnerable to arbitrary file write when loading external model or bento packages — patch to 1.4.36 immediately. The realistic attack path is a poisoned model distributed via public registries or third-party vendors; when your MLOps pipeline or a developer loads it, the attacker writes files anywhere on the host filesystem. Treat this as a supply chain risk: verify BentoML versions across all environments and enforce model provenance before deploying.

Is CVE-2026-27905 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27905, increasing the risk of exploitation.

How to fix CVE-2026-27905?

1. PATCH: Upgrade BentoML to 1.4.36 across all environments (dev, staging, prod, CI/CD) — this is the only complete fix. 2. INVENTORY: Identify all systems running BentoML using 'pip show bentoml' or equivalent; prioritize internet-facing model servers. 3. MODEL PROVENANCE: Restrict bento/model loading to internal, verified registries; block import of packages from untrusted sources until patched. 4. LEAST PRIVILEGE: Ensure BentoML processes run under dedicated service accounts with minimal filesystem permissions; avoid running as root. 5. DETECTION: Alert on unexpected file creation events outside BentoML's working directories during model loading operations (auditd or equivalent). 6. INTEGRITY: Enforce checksum or signature verification for model artifacts before extraction. 7. CONTAINER HARDENING: Review volume mounts in BentoML containers; remove unnecessary host path mounts that could be targeted.

What systems are affected by CVE-2026-27905?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps pipelines, CI/CD for ML, training pipelines, model registries.

What is the CVSS score for CVE-2026-27905?

CVE-2026-27905 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.26%.

What is the AI security impact?

Affected AI Architectures

model servingMLOps pipelinesCI/CD for MLtraining pipelinesmodel registries

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Art. 15, Article 15, Article 9

ISO 42001: A.6.1.6, A.6.2.6, A.8.4

NIST AI RMF: GOVERN 6.2, GOVERN-6.1, MANAGE 2.4, MEASURE-2.6

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.

Exploitation Scenario

An adversary publishes a malicious model to a public registry (e.g., HuggingFace Hub) targeting BentoML users. The bento archive contains: (1) a symlink 'models/config' pointing to '/etc/cron.d', and (2) a regular file 'models/config/pwned' containing a reverse shell cronjob. BentoML's safe_extract_tarfile() validates the symlink's own path as safe but fails to validate the symlink target. During extraction, step 1 creates the symlink pointing outside the extraction root; step 2 writes through it, depositing the reverse shell at /etc/cron.d/pwned. The cron daemon executes the payload within minutes, establishing persistent access to the model server. In CI/CD environments, this could compromise build agents and inject malicious code into downstream model artifacts before they reach production.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-59 Improper Link Resolution Before File Access ('Link Following') Primary CWE-59 Improper Link Resolution Before File Access ('Link Following') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.