Threat Advisory

BentoML Dockerfile Vulnerability Exposes Command Injection

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in BentoML, a Python framework for building, testing, and deploying machine learning models. The affected software includes the pip package "bentoml" with versions less than or equal to 1.4.38. These vulnerabilities allow an attacker to inject arbitrary Dockerfile commands, leading to Remote Code Execution (RCE) on the victim's host during the "bentoml containerize" process. This could result in significant business risk and impact, including exposure of sensitive data, disruption of business operations, and reputational damage.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in BentoML, a Python framework for building, testing, and deploying machine learning models. The affected software includes the pip package "bentoml" with versions less than or equal to 1.4.38. These vulnerabilities allow an attacker to inject arbitrary Dockerfile commands, leading to Remote Code Execution (RCE) on the victim's host during the "bentoml containerize" process. This could result in significant business risk and impact, including exposure of sensitive data, disruption of business operations, and reputational damage.[emaillocker id="1283"]

  • CVE-2026-44345 with a CVSS score of 8.8 – This vulnerability is caused by the mishandling of the "docker.base_image" field in the "bento.yaml" file. An attacker can inject arbitrary Dockerfile commands by using a multi-line value for this field. The attacker capability is high, as they can execute arbitrary commands on the victim's host. The prerequisites for exploitation include access to the "bento.yaml" file and the ability to run the "bentoml containerize" command.
  • CVE-2026-44346 with a CVSS score of 8.8 – This vulnerability is caused by the mishandling of the "envs[*].name" field in the "bento.yaml" file. An attacker can inject arbitrary Dockerfile commands by using a newline-injected value for this field. The attacker capability is high, as they can execute arbitrary commands on the victim's host. The prerequisites for exploitation include access to the "bento.yaml" file and the ability to run the "bentoml containerize" command.

The exploitation of these vulnerabilities could result in significant business risk and impact, including exposure of sensitive data, disruption of business operations, and reputational damage. It is essential for all BentoML users to upgrade to the latest version of the software and take immediate action to mitigate these vulnerabilities.

RECOMMENDATION:

  • We recommend you to update pip/bentoml to version 1.4.39.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-78f9-r8mh-4xm2
https://github.com/advisories/GHSA-w2pm-x38x-jp44

[/emaillocker]
crossmenu