Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.
Published: 2026-04-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

BentoML’s Dockerfile generation function creates an unsandboxed Jinja2 environment that processes user‑provided templates. An attacker can embed malicious Jinja2 code into a bento archive; when a victim imports that archive and runs the containerize command, the template engine will execute arbitrary Python on the host machine. This bypasses container isolation and allows the attacker to run code with the privileges of the BentoML process, leading to full system compromise.

Affected Systems

Any installation of BentoML before version 1.4.38 that performs containerization is affected. The vulnerability is triggered when a user imports a bento archive from an untrusted source and then executes the containerize operation, regardless of the underlying operating system or deployment environment.

Risk and Exploitability

The severity is high with a CVSS score of 8.8. The probability of active exploitation is low, as indicated by an EPSS score below 1% and the absence of listing in the KEV catalog. Exploitation requires an attacker to supply a malicious bento archive to a victim that imports it and runs the containerization command; once triggered, the attacker gains arbitrary code execution on the host, putting all data and services at risk.

Generated by OpenCVE AI on April 10, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BentoML to version 1.4.38 or later.
  • Avoid importing bento archives from untrusted sources; verify digital signatures or hashes before import.
  • If an upgrade cannot be performed immediately, disable the Jinja2 'do' extension or otherwise sandbox the template rendering process to prevent code execution.
  • Monitor system logs for unexpected Python execution or new processes during container creation.

Generated by OpenCVE AI on April 10, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v959-cwq9-7hr6 BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation
History

Fri, 10 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Bentoml
Bentoml bentoml
Vendors & Products Bentoml
Bentoml bentoml

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.
Title BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Bentoml Bentoml
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:49:59.815Z

Reserved: 2026-03-31T21:06:06.428Z

Link: CVE-2026-35044

cve-icon Vulnrichment

Updated: 2026-04-06T18:49:56.893Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T18:16:41.990

Modified: 2026-04-10T18:31:47.183

Link: CVE-2026-35044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:42Z

Weaknesses