Skip to main content

Docker CVE-2026-33744

HIGH
Code Injection (CWE-94)
2026-03-26 https://github.com/bentoml/BentoML GHSA-jfjg-vc52-wqvf
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 07:45 vuln.today
CVE Published
Mar 26, 2026 - 07:32 nvd
HIGH 7.8

DescriptionGitHub Advisory

Summary

The docker.system_packages field in bentofile.yaml accepts arbitrary strings that are interpolated directly into Dockerfile RUN commands without sanitization. Since system_packages is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious bentofile.yaml achieves arbitrary command execution during bentoml containerize / docker build.

Affected Component

  • src/_bentoml_sdk/images.py:85-89 - .format(packages=" ".join(packages)) into shell command
  • src/bentoml/_internal/container/frontend/dockerfile/templates/base_debian.j2:13 - {{ __options__system_packages | join(' ') }}
  • src/bentoml/_internal/bento/build_config.py:174 - No validation on system_packages
  • All distro install commands in src/bentoml/_internal/container/frontend/dockerfile/__init__.py

Affected Versions

All versions supporting docker.system_packages in bentofile.yaml, confirmed on 1.4.36.

Steps to Reproduce

  1. Create a project directory with:

service.py:

python
import bentoml

@bentoml.service
class MyService:
    @bentoml.api
    def predict(self) -> str:
        return "hello"

bentofile.yaml:

yaml
service: "service:MyService"
docker:
  system_packages:
    - "curl && id > /tmp/bentoml-pwned #"
  1. Run:
bash
bentoml build
  1. Examine the generated Dockerfile at ~/bentoml/bentos/my_service/<tag>/env/docker/Dockerfile. Line 41 will contain:
dockerfile
RUN apt-get install -q -y -o Dpkg::Options::=--force-confdef curl && id > /tmp/bentoml-pwned
#
  1. Running bentoml containerize my_service:<tag> will execute id > /tmp/bentoml-pwned as root during the Docker build.

Root Cause

The system_packages field values are treated as package names (data) by the user but are string-formatted directly into shell commands in the Dockerfile:

python
# images.py:85-89
self.commands.append(
    CONTAINER_METADATA[self.distro]["install_command"].format(
        packages=" ".join(packages)
# No escaping
    )
)

Where install_command is "apt-get install -q -y -o Dpkg::Options::=--force-confdef {packages}".

A bash_quote filter (wrapping shlex.quote) exists in the codebase and is registered in both Jinja2 environments, but it is only applied to environment variable values, never to system_packages.

Impact

  1. Malicious repositories: An attacker publishes an ML project with a crafted bentofile.yaml. Anyone who clones and builds it gets arbitrary code execution during docker build.
  2. CI/CD compromise: Automated pipelines running bentoml containerize on PRs that modify bentofile.yaml are vulnerable.
  3. BentoCloud: If BentoCloud builds images from user-supplied bentofile.yaml, this could achieve RCE on cloud infrastructure.
  4. Supply chain: Shared bentos or model repos in the BentoML ecosystem can contain malicious configs.

Suggested Fix

Option 1: Input validation (recommended)

Add a regex validator to system_packages in build_config.py:

python
import re

VALID_PACKAGE_NAME = re.compile(r'^[a-zA-Z0-9][a-zA-Z0-9.+\-_:]*$')

def _validate_system_packages(instance, attribute, value):
    if value is None:
        return
    for pkg in value:
        if not VALID_PACKAGE_NAME.match(pkg):
            raise BentoMLException(
                f"Invalid system package name: {pkg!r}. "
                "Package names may only contain alphanumeric characters, "
                "dots, plus signs, hyphens, underscores, and colons."
            )

system_packages: t.Optional[t.List[str]] = attr.field(
    default=None, validator=_validate_system_packages
)

Option 2: Output escaping

Apply shlex.quote() to each package name before interpolation in images.py:system_packages() and apply the bash_quote Jinja2 filter in base_debian.j2.

AnalysisAI

BentoML, a Python framework for ML model serving, contains a command injection vulnerability in the docker.system_packages configuration field of bentofile.yaml files. The vulnerability affects all versions supporting this feature (confirmed in version 1.4.36) and allows attackers to execute arbitrary commands during the Docker image build process (bentoml containerize). This is a high-severity supply chain risk with a CVSS score of 7.8, requiring user interaction to trigger but achieving full command execution as root during container builds.

Technical ContextAI

BentoML (pkg:pip/bentoml) is a Python framework for building and deploying machine learning services. The vulnerability is rooted in CWE-94 (Improper Control of Generation of Code / Code Injection). The system_packages field in bentofile.yaml configuration files is intended to specify OS package names for installation in Docker containers. However, the implementation in src/_bentoml_sdk/images.py and Jinja2 templates (base_debian.j2) directly interpolates these values into Dockerfile RUN commands using string formatting without sanitization or shell escaping. While the codebase includes a bash_quote filter using shlex.quote for environment variables, this protection is never applied to system_packages values. The values are joined with spaces and inserted directly into apt-get install commands, allowing shell metacharacters and command separators to break out of the intended command context.

RemediationAI

Users should upgrade to a patched version of BentoML as soon as one is released by the vendor (monitor https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf for updates). Until a patch is available, implement strict validation of bentofile.yaml files from untrusted sources by reviewing all system_packages entries for shell metacharacters (semicolons, ampersands, pipes, backticks, dollar signs, redirects). In CI/CD environments, implement mandatory code review for any changes to bentofile.yaml files before automated builds, and consider running bentoml containerize in isolated, ephemeral build environments with no access to sensitive resources. Organizations can also apply the suggested fix manually by patching build_config.py to validate package names against the regex pattern ^[a-zA-Z0-9][a-zA-Z0-9.+\-_:]*$ before processing. For BentoCloud users or operators of shared build infrastructure, disable or restrict the system_packages feature until patching is complete.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-33744 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy