CVE-2026-27905: BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction

March 3, 2026 (updated March 4, 2026)

The safe_extract_tarfile() function validates that each tar member’s path is within the destination directory, but for symlink members it only validates the symlink’s own path, not the symlink’s target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem.

References

github.com/advisories/GHSA-m6w7-qv66-g3mf
github.com/bentoml/BentoML
github.com/bentoml/BentoML/commit/4e0eb007765ac04c7924220d643f264715cc9670
github.com/bentoml/BentoML/security/advisories/GHSA-m6w7-qv66-g3mf
nvd.nist.gov/vuln/detail/CVE-2026-27905

Code Behaviors & Features

Detect and mitigate CVE-2026-27905 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →