CVE-2026-44345 - Vulnerability Details

- BentoML: Dockerfile command injection via docker.base_image

Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2 interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host. This vulnerability is fixed in 1.4.39.

Published: 2026-05-27

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A specially crafted bento.yaml file can insert arbitrary Dockerfile directives into the generated Dockerfile because the docker.base_image value is interpolated without escaping or validation. When bentoml containerize executes a docker build, the injected RUN directives run on the host, giving the attacker unrestricted code execution. The weakness, a form of operating system command injection, is identified as CWE‑78.

Affected Systems

The vulnerability affects BentoML versions earlier than 1.4.39 of the BentoML Python library.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as high severity, while the EPSS score is not available and it is not listed in the CISA KEV catalog. Exploitation requires the ability to supply a malicious bento.yaml and to invoke the containerize process; the attack vector is local and dependent on the attacker’s access to the host environment. If an attacker can alter the bento.yaml file, the injected commands execute with the privileges of the user running docker, potentially compromising the entire system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bentoml

BentoML

affected

Version	Status	Constraints
`< 1.4.39`	affected	—

Configuration 1 [-]

cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Bentoml

100%

Version	Status	Scheme	Platform
`[0,1.4.39)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade BentoML to version 1.4.39 or later.
If an upgrade is not immediately possible, restrict access to the bento.yaml file so that only trusted users can modify it.
Run the containerize command in a restricted or isolated environment, such as a dedicated build container or CI system, to prevent injected commands from affecting the host.

Generated by OpenCVE AI on May 27, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-78f9-r8mh-4xm2	BentoML Dockerfile command injection via docker.base_image (sister of pending GHSA-w2pm-x38x-jp44 / CVE-2026-33744 / CVE-2026-35043)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0026.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2

History

Tue, 02 Jun 2026 14:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:bentoml:bentoml::::::::

Thu, 28 May 2026 05:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bentoml Bentoml bentoml
Vendors & Products		Bentoml Bentoml bentoml

Wed, 27 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 27 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2 interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host. This vulnerability is fixed in 1.4.39.
Title		BentoML: Dockerfile command injection via docker.base_image
Weaknesses		CWE-78
References		https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Bentoml Bentoml

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T17:24:18.789Z

Updated: 2026-05-27T18:00:32.386Z

Reserved: 2026-05-05T19:52:59.148Z

Link: CVE-2026-44345

Vulnrichment

Updated: 2026-05-27T18:00:23.117Z

NVD

Status : Analyzed

Published: 2026-05-27T18:16:23.200

Modified: 2026-06-02T13:59:48.400

Link: CVE-2026-44345

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T05:15:08Z

Weaknesses

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object