Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39.
Published: 2026-05-27
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BentoML’s containerization process reads envs[*].name from bentofile.yaml and directly inserts them into the generated Dockerfile without quoting. A malicious bento can inject newline characters into these names, breaking the Dockerfile syntax and turning the value into an unquoted RUN directive. During the docker build, the injected command executes with the privileges of the Docker daemon, giving the attacker arbitrary code execution on the host. This flaw is an example of OS Command Injection (CWE‑78) and code injection (CWE‑94).

Affected Systems

The affected product is BentoML, a Python library and CLI used for serving AI models. Versions before 1.4.39 are vulnerable. Any system that runs bentoml containerize on a bento built from a malicious or compromised bentofile.yaml is susceptible.

Risk and Exploitability

The CVSS score of 8.8 signifies a high severity vulnerability. The EPSS score is not available, so the current exploitation probability is unknown. The flaw is not listed in the CISA KEV catalog. An attacker can exploit the vulnerability by supplying a crafted bentofile.yaml that includes a newline in an env name; the attacker must then invoke bentoml containerize on the target host, which could be a local or remote scenario if the host processes files from untrusted sources. Once triggered, arbitrary host commands run under Docker’s build context, potentially compromising the entire system. The issue is fixed in BentoML 1.4.39.

Generated by OpenCVE AI on May 27, 2026 at 19:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BentoML to version 1.4.39 or newer.
  • Validate envs[*].name in bentofile.yaml to prohibit newlines or other shell metacharacters.
  • Rebuild Docker images in a sandboxed or trusted environment if the upgrade cannot be applied immediately.

Generated by OpenCVE AI on May 27, 2026 at 19:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w2pm-x38x-jp44 Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)
History

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39.
Title BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml
Weaknesses CWE-78
CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:22:47.101Z

Reserved: 2026-05-05T19:52:59.148Z

Link: CVE-2026-44346

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T18:16:23.333

Modified: 2026-05-27T18:16:23.333

Link: CVE-2026-44346

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses