BentoML Vulnerability Allows Host Code Execution via Malicious Archives
CVE Notify is flagging a critical vulnerability in the BentoML Python library, specifically affecting versions prior to 1.4.38. The issue lies within the generate_containerfile() function, which is responsible for creating Dockerfiles for AI application deployments. According to CVE Notify, this function improperly uses an unsandboxed Jinja2 environment with the do extension to process user-provided Dockerfile templates.
This setup creates a dangerous path for attackers. When a user imports a compromised BentoML archive and then runs the bentoml containerize command, malicious Jinja2 template code embedded within the archive can be executed directly on the host machine. CVE Notify highlights that this bypasses container isolation entirely, giving an attacker arbitrary Python code execution capabilities on the host system. This is a serious supply-chain risk for any organization relying on BentoML for their AI serving infrastructure.
The good news is that this vulnerability has been patched in BentoML version 1.4.38. Users are strongly advised to update immediately to mitigate the risk of host compromise through malicious BentoML archives.
What This Means For You
- Audit your CI/CD pipelines and development workflows to ensure that only trusted and verified BentoML archives are used in production environments, especially before containerization.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-35044 | Code Injection | BentoML version prior to 1.4.38, vulnerable function: generate_containerfile() in src/bentoml/_internal/container/generate.py, vulnerable component: unsandboxed jinja2.Environment with jinja2.ext.do extension for rendering user-provided dockerfile_template files. |
| CVE-2026-35044 | RCE | BentoML version prior to 1.4.38, attacker-controlled Jinja2 template code execution on host machine via malicious bento archive import and bentoml containerize command. |