diff --git a/master/buildbot/process/remotetransfer.py b/master/buildbot/process/remotetransfer.py
index 76a13faadf3..8ac5f888d28 100644
--- a/master/buildbot/process/remotetransfer.py
+++ b/master/buildbot/process/remotetransfer.py
@@ -126,7 +126,10 @@ def remote_unpack(self):
 
         # Unpack archive and clean up after self
         with tarfile.open(name=self.tarname, mode=mode) as archive:
-            archive.extractall(path=self.destroot)
+            if hasattr(tarfile, 'data_filter'):
+                archive.extractall(path=self.destroot, filter='data')
+            else:
+                archive.extractall(path=self.destroot)
         os.remove(self.tarname)
 
 
diff --git a/master/buildbot/test/integration/test_upgrade.py b/master/buildbot/test/integration/test_upgrade.py
index 66669b1b340..40867e4fabc 100644
--- a/master/buildbot/test/integration/test_upgrade.py
+++ b/master/buildbot/test/integration/test_upgrade.py
@@ -77,7 +77,10 @@ def setUpUpgradeTest(self):
             with tarfile.open(tarball) as tf:
                 prefixes = set()
                 for inf in tf:
-                    tf.extract(inf)
+                    if hasattr(tarfile, 'data_filter'):
+                        tf.extract(inf, filter='data')
+                    else:
+                        tf.extract(inf)
                     prefixes.add(inf.name.split('/', 1)[0])
 
             # (note that tf.extractall isn't available in py2.4)
diff --git a/newsfragments/tarfile-pep706.bugfix b/newsfragments/tarfile-pep706.bugfix
new file mode 100644
index 00000000000..0d398f780dd
--- /dev/null
+++ b/newsfragments/tarfile-pep706.bugfix
@@ -0,0 +1 @@
+Improved security of tarfile extraction to help avoid CVE-2007-4559. See more details in https://peps.python.org/pep-0706/. Buildbot uses filter='data' now. (:issue:`7294`)