CVE-2026-33744

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-27 01:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33744

Mitre link : CVE-2026-33744

CVE.ORG link : CVE-2026-33744

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2026-33744", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-03-27T01:16:21.007", "references": [{"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue."}, {"lang": "es", "value": "BentoML es una biblioteca de Python para construir sistemas de servicio en l\u00ednea optimizados para aplicaciones de IA e inferencia de modelos. Antes de la versi\u00f3n 1.4.37, el campo 'docker.system_packages' en 'bentofile.yaml' aceptaba cadenas arbitrarias que se interpolaban directamente en los comandos 'RUN' de Dockerfile sin sanitizaci\u00f3n. Dado que 'system_packages' es sem\u00e1nticamente una lista de nombres de paquetes del sistema operativo (datos), los usuarios no esperan que los valores se interpreten como comandos de shell. Un 'bentofile.yaml' malicioso logra la ejecuci\u00f3n arbitraria de comandos durante 'bentoml containerize' / 'docker build'. La versi\u00f3n 1.4.37 corrige el problema."}], "lastModified": "2026-03-30T13:26:29.793", "sourceIdentifier": "security-advisories@github.com"}