CVE-2026-33744
Received Received - Intake
Command Injection in BentoML docker.system_packages Causes RCE

Publication date: 2026-03-27

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33744
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bentoml bentoml to 1.4.37 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33744 is a command injection vulnerability in the BentoML Python library versions prior to 1.4.37. It arises because the `docker.system_packages` field in the `bentofile.yaml` configuration file accepts arbitrary strings that are directly inserted into Dockerfile RUN commands without any sanitization or escaping.

Users expect `system_packages` to be a list of OS package names, but because these values are interpolated verbatim into shell commands during Docker image builds, a maliciously crafted package name can inject and execute arbitrary shell commands.

For example, if a package name includes shell operators like `&&` followed by a command, that command will be executed as root during the Docker build process, leading to arbitrary code execution.

Impact Analysis

This vulnerability allows attackers to execute arbitrary commands as root during the Docker image build process when using BentoML's containerization features.

  • Attackers can publish malicious BentoML projects with crafted `bentofile.yaml` files that execute harmful commands.
  • CI/CD pipelines that automatically build BentoML containers from user-submitted code are at risk of remote code execution.
  • Cloud services like BentoCloud that build images from user-supplied configurations may be compromised.
  • There is a supply chain risk where shared BentoML models or repositories could propagate malicious code.
Detection Guidance

This vulnerability can be detected by inspecting the `bentofile.yaml` files used in your BentoML projects, specifically looking at the `docker.system_packages` field for any suspicious or unexpected shell command injections instead of just package names.

You can also monitor Docker build logs or the output of `bentoml containerize` or `bentoml build` commands for unexpected command execution or side effects such as creation of unusual files (e.g., /tmp/bentoml-pwned).

Suggested commands to detect exploitation attempts or suspicious activity include:

  • Search for suspicious entries in bentofile.yaml: `grep -E 'system_packages:' -A 5 bentofile.yaml | grep -vE '^[[:space:]]*-'` to find non-package strings.
  • Check Docker build logs for unexpected commands or errors.
  • Look for unexpected files created during build, e.g., `ls -l /tmp/bentoml-pwned`.
  • Use process monitoring tools during build to detect unexpected command execution.
Mitigation Strategies

The immediate mitigation step is to upgrade BentoML to version 1.4.37 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, avoid using or accepting untrusted `bentofile.yaml` files that specify the `docker.system_packages` field.

Implement input validation on the `system_packages` field to ensure only valid package names are allowed, restricting characters to alphanumeric, dots, plus signs, hyphens, underscores, and colons.

Apply output escaping (e.g., using `shlex.quote()` in code and appropriate Jinja2 filters) to sanitize package names before inserting them into Dockerfile commands.

Review and audit CI/CD pipelines and cloud build environments that run BentoML builds to prevent execution of malicious code from crafted `bentofile.yaml` files.

Compliance Impact

This vulnerability allows arbitrary code execution during Docker image builds by injecting shell commands into the `system_packages` field of BentoML's configuration. Such unauthorized code execution can lead to compromise of system integrity, confidentiality, and availability.

Because of the high impact on confidentiality, integrity, and availability, this vulnerability poses significant risks to environments that must comply with standards like GDPR and HIPAA, which require strict controls to protect sensitive data and ensure system security.

Specifically, exploitation could lead to unauthorized access or modification of sensitive data, violating data protection requirements and potentially resulting in non-compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart