Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact. If a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a symlink such as loot.txt -> /tmp/outside-marker.txt or a link to a more sensitive local file. When bentoml build runs, BentoML dereferences the symlink and packages the target file contents into the Bento. The leaked file can then propagate further through export, push, or containerization workflows. An attacker can exfiltrate local files from the build host into the Bento artifact, exposing secrets such as cloud credentials, SSH keys, API tokens, environment files, or other sensitive local configurations. Because Bento artifacts are commonly exported, uploaded, stored, or containerized after build, the leaked file contents can spread beyond the original build machine. This issue has been fixed in version 1.4.39.
Published: 2026-05-22
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a symlink traversal flaw in BentoML's build packaging workflow that allows an attacker to place a symbolic link in the build context pointing to a sensitive local file. When bentoml build dereferences the link, the file's contents are copied into the generated Bento artifact, exposing data that may include credentials, keys, or environment configurations. This flaw is identified as CWE‑59 and permits information disclosure rather than code execution or denial of service.

Affected Systems

The issue affects BentoML version 1.4.38 and earlier. Versions 1.4.39 and later contain a fix. All installations of BentoML that build artifacts from untrusted or attacker‑controlled repositories are potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity vulnerability. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. If an untrusted build context is processed, an attacker can exfiltrate local files from the build host. The compromised files can then be exported, pushed, or containerized, enabling further spread beyond the original machine. The primary attack vector is the ability to influence the build context contents, so protecting the build environment and ensuring only trusted sources are used are key to mitigation.

Generated by OpenCVE AI on May 22, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BentoML to version 1.4.39 or newer, which removes the symlink traversal bug.
  • If upgrading is delayed, verify that the build context contains only trusted files and that no symbolic links point to sensitive locations; remove or sanitize any such links before building.
  • Consider implementing a build‑time validation step, such as a pre‑build script or container policy, that rejects build contexts containing symlinks or files located outside a predefined safe directory.

Generated by OpenCVE AI on May 22, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mcfx-4vc6-qgxv BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context
History

Fri, 22 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Bentoml
Bentoml bentoml
Vendors & Products Bentoml
Bentoml bentoml

Fri, 22 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact. If a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a symlink such as loot.txt -> /tmp/outside-marker.txt or a link to a more sensitive local file. When bentoml build runs, BentoML dereferences the symlink and packages the target file contents into the Bento. The leaked file can then propagate further through export, push, or containerization workflows. An attacker can exfiltrate local files from the build host into the Bento artifact, exposing secrets such as cloud credentials, SSH keys, API tokens, environment files, or other sensitive local configurations. Because Bento artifacts are commonly exported, uploaded, stored, or containerized after build, the leaked file contents can spread beyond the original build machine. This issue has been fixed in version 1.4.39.
Title BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Bentoml Bentoml
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T19:47:51.660Z

Reserved: 2026-04-14T14:07:59.642Z

Link: CVE-2026-40610

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T21:30:16Z

Weaknesses