CVE-2026-44346 - Vulnerability Details

- BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml

Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39.

Published: 2026-05-27

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

BentoML’s containerization process reads envs[*].name from bentofile.yaml and directly inserts them into the generated Dockerfile without quoting. A malicious bento can inject newline characters into these names, breaking the Dockerfile syntax and turning the value into an unquoted RUN directive. During the docker build, the injected command executes with the privileges of the Docker daemon, giving the attacker arbitrary code execution on the host. This flaw is an example of OS Command Injection (CWE‑78) and code injection (CWE‑94).

Affected Systems

The affected product is BentoML, a Python library and CLI used for serving AI models. Versions before 1.4.39 are vulnerable. Any system that runs bentoml containerize on a bento built from a malicious or compromised bentofile.yaml is susceptible.

Risk and Exploitability

The CVSS score of 8.8 signifies a high severity vulnerability. The EPSS score is not available, so the current exploitation probability is unknown. The flaw is not listed in the CISA KEV catalog. An attacker can exploit the vulnerability by supplying a crafted bentofile.yaml that includes a newline in an env name; the attacker must then invoke bentoml containerize on the target host, which could be a local or remote scenario if the host processes files from untrusted sources. Once triggered, arbitrary host commands run under Docker’s build context, potentially compromising the entire system. The issue is fixed in BentoML 1.4.39.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bentoml

BentoML

affected

Version	Status	Constraints
`< 1.4.39`	affected	—

Configuration 1 [-]

cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Bentoml

100%

Version	Status	Scheme	Platform
`[0,1.4.39)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update BentoML to version 1.4.39 or newer.
Validate envs[*].name in bentofile.yaml to prohibit newlines or other shell metacharacters.
Rebuild Docker images in a sandboxed or trusted environment if the upgrade cannot be applied immediately.

Generated by OpenCVE AI on May 27, 2026 at 19:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w2pm-x38x-jp44	Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00275.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44

History

Tue, 02 Jun 2026 14:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:bentoml:bentoml::::::::

Thu, 28 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bentoml Bentoml bentoml
Vendors & Products		Bentoml Bentoml bentoml

Wed, 27 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39.
Title		BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml
Weaknesses		CWE-78 CWE-94
References		https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Bentoml Bentoml

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T17:22:47.101Z

Updated: 2026-05-28T15:09:40.051Z

Reserved: 2026-05-05T19:52:59.148Z

Link: CVE-2026-44346

Vulnrichment

Updated: 2026-05-28T15:09:31.727Z

NVD

Status : Analyzed

Published: 2026-05-27T18:16:23.333

Modified: 2026-06-02T13:48:02.080

Link: CVE-2026-44346

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T03:15:05Z

Weaknesses

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-94
Improper Control of Generation of Code ('Code Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object