CVE-2026-24123

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. Version 1.4.34 contains a patch for the issue.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4	Patch
https://github.com/bentoml/BentoML/releases/tag/v1.4.34	Product Release Notes
https://github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-26 23:16

Updated : 2026-02-03 15:07

NVD link : CVE-2026-24123

Mitre link : CVE-2026-24123

CVE.ORG link : CVE-2026-24123

JSON object : View

Products Affected

bentoml

bentoml

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-24123", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-01-26T23:16:08.460", "references": [{"url": "https://github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bentoml/BentoML/releases/tag/v1.4.34", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. Version 1.4.34 contains a patch for the issue."}, {"lang": "es", "value": "BentoML es una librer\u00eda de Python para construir sistemas de servicio en l\u00ednea optimizados para aplicaciones de IA e inferencia de modelos. Antes de la versi\u00f3n 1.4.34, la configuraci\u00f3n `bentofile.yaml` de BentoML permite ataques de salto de ruta a trav\u00e9s de m\u00faltiples campos de ruta de archivo (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). Un atacante puede crear un bentofile malicioso que, cuando es construido por una v\u00edctima, exfiltra archivos arbitrarios del sistema de archivos al archivo bento. Esto permite ataques a la cadena de suministro donde archivos sensibles (claves SSH, credenciales, variables de entorno) son incrustados silenciosamente en los bentos y expuestos cuando se suben a registros o se despliegan. La versi\u00f3n 1.4.34 contiene un parche para el problema."}], "lastModified": "2026-02-03T15:07:55.700", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE676E6B-09BB-4BB5-839C-CDA683332ADC", "versionEndExcluding": "1.4.34"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}