CVE-2026-33744

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*

History

01 Apr 2026, 15:00

Type	Values Removed	Values Added
References	~~() https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf -~~	() https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf - Exploit, Mitigation, Vendor Advisory
First Time		Bentoml Bentoml bentoml
CPE		cpe:2.3:a:bentoml:bentoml::::::::

30 Mar 2026, 13:26

Type	Values Removed	Values Added
Summary		(es) BentoML es una biblioteca de Python para construir sistemas de servicio en línea optimizados para aplicaciones de IA e inferencia de modelos. Antes de la versión 1.4.37, el campo 'docker.system_packages' en 'bentofile.yaml' aceptaba cadenas arbitrarias que se interpolaban directamente en los comandos 'RUN' de Dockerfile sin sanitización. Dado que 'system_packages' es semánticamente una lista de nombres de paquetes del sistema operativo (datos), los usuarios no esperan que los valores se interpreten como comandos de shell. Un 'bentofile.yaml' malicioso logra la ejecución arbitraria de comandos durante 'bentoml containerize' / 'docker build'. La versión 1.4.37 corrige el problema.

27 Mar 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 01:16

Updated : 2026-04-01 15:00

NVD link : CVE-2026-33744

Mitre link : CVE-2026-33744

CVE.ORG link : CVE-2026-33744

JSON object : View

Products Affected

bentoml

bentoml

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

7.8 /10