CVE-2026-35044: BentoML: malicious bento archive RCE via Jinja2 SSTI

GHSA-v959-cwq9-7hr6 HIGH CISA: ATTEND
Published April 3, 2026
CISO Take

Any team running `bentoml containerize` on externally-sourced or shared bento archives is at risk of full host compromise — the payload executes on the host before Docker is even invoked, bypassing container isolation entirely. Patch immediately to BentoML 1.4.38 and audit any CI/CD pipeline that automates bento imports from untrusted sources. If you cannot patch, block import of third-party bento archives until the fix is validated.

What is the risk?

High risk. CVSS 8.8 reflects realistic exploitability: the attack requires no authentication, no AI/ML expertise, and the PoC is a trivial 3-line Jinja2 template. The blast radius is the host machine — including credentials, SSH keys, cloud tokens, and source code in the developer or CI/CD environment. Exposure is especially acute in MLOps teams that import pre-built bento archives from model hubs, S3 buckets, or collaborative workflows. The deceptive trust boundary (users expect containerize to be a safe build step) amplifies likelihood of successful exploitation.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
BentoML pip <= 1.4.37 1.4.38
8.7K OpenSSF 6.4 21 dependents Pushed 12d ago 55% patched ~14d to patch Full package profile →

Do you use BentoML? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 31% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

5 steps
  1. PATCH

    Upgrade bentoml to >= 1.4.38 immediately. This replaces the unsandboxed Environment with SandboxedEnvironment and removes the jinja2.ext.do extension.

  2. AUDIT

    Review any bento archives imported from external sources; inspect env/docker/Dockerfile.template inside archives for Jinja2 {% do %} or {% debug %} tags before trusting.

  3. DETECT

    Add pre-import scanning for jinja2.ext.do patterns in Dockerfile.template files within bento archives. In SIEM, alert on bentoml containerize executions followed by unexpected child process spawning (bash, sh, python outside expected paths).

  4. ISOLATE

    Until patched, run bentoml containerize only in isolated VMs or ephemeral sandboxed environments, never on developer workstations or shared CI/CD runners with access to production secrets.

  5. RESTRICT

    Implement allowlists for approved bento archive sources; reject imports from untrusted origins.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
8.4 - AI system security 8.7 - AI supply chain management
NIST AI RMF
GOVERN 1.7 - AI supply chain risk management MANAGE 2.2 - Mechanisms for AI risk treatment
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-35044?

Any team running `bentoml containerize` on externally-sourced or shared bento archives is at risk of full host compromise — the payload executes on the host before Docker is even invoked, bypassing container isolation entirely. Patch immediately to BentoML 1.4.38 and audit any CI/CD pipeline that automates bento imports from untrusted sources. If you cannot patch, block import of third-party bento archives until the fix is validated.

Is CVE-2026-35044 actively exploited?

No confirmed active exploitation of CVE-2026-35044 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35044?

1. PATCH: Upgrade bentoml to >= 1.4.38 immediately. This replaces the unsandboxed Environment with SandboxedEnvironment and removes the jinja2.ext.do extension. 2. AUDIT: Review any bento archives imported from external sources; inspect `env/docker/Dockerfile.template` inside archives for Jinja2 `{% do %}` or `{% debug %}` tags before trusting. 3. DETECT: Add pre-import scanning for `jinja2.ext.do` patterns in `Dockerfile.template` files within bento archives. In SIEM, alert on `bentoml containerize` executions followed by unexpected child process spawning (bash, sh, python outside expected paths). 4. ISOLATE: Until patched, run `bentoml containerize` only in isolated VMs or ephemeral sandboxed environments, never on developer workstations or shared CI/CD runners with access to production secrets. 5. RESTRICT: Implement allowlists for approved bento archive sources; reject imports from untrusted origins.

What systems are affected by CVE-2026-35044?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model packaging and containerization workflows, CI/CD model deployment pipelines, model sharing and collaboration workflows, developer workstations running local model serving.

What is the CVSS score for CVE-2026-35044?

CVE-2026-35044 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.39%.

What is the AI security impact?

Affected AI Architectures

MLOps pipelinesmodel packaging and containerization workflowsCI/CD model deployment pipelinesmodel sharing and collaboration workflowsdeveloper workstations running local model serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011 User Execution
AML.T0011.000 Unsafe AI Artifacts
AML.T0050 Command and Scripting Interpreter
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9
ISO 42001: 8.4, 8.7
NIST AI RMF: GOVERN 1.7, MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.

Exploitation Scenario

An adversary targeting a team that uses BentoML for LLM/ML model serving builds a plausible bento archive — perhaps a useful open-source model wrapper or a dependency of an internal project. They embed a malicious `Dockerfile.template` containing a `{% do %}` SSTI payload that exfiltrates environment variables (cloud API keys, database credentials, Anthropic API key) to an attacker-controlled endpoint, then installs a reverse shell. The archive is published to a public S3 bucket or a GitHub release alongside legitimate model artifacts. A CI/CD runner executing automated `bentoml import && bentoml containerize` workflows pulls the archive during a dependency update or model refresh. The SSTI payload fires during template rendering — before any Docker layer exists — giving the attacker full host access to the runner, its mounted secrets, and any production systems reachable from the CI/CD network.

Weaknesses (CWE)

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine: The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

  • [Architecture and Design] Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
  • [Implementation] Use the template engine's sandbox or restricted mode, if available.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Published
April 3, 2026
Last Modified
April 7, 2026
First Seen
April 4, 2026

Related Vulnerabilities