CVE-2026-33744
Command Injection in BentoML docker.system_packages Causes RCE
Publication date: 2026-03-27
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bentoml | bentoml | to 1.4.37 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33744 is a command injection vulnerability in the BentoML Python library versions prior to 1.4.37. It arises because the `docker.system_packages` field in the `bentofile.yaml` configuration file accepts arbitrary strings that are directly inserted into Dockerfile RUN commands without any sanitization or escaping.
Users expect `system_packages` to be a list of OS package names, but because these values are interpolated verbatim into shell commands during Docker image builds, a maliciously crafted package name can inject and execute arbitrary shell commands.
For example, if a package name includes shell operators like `&&` followed by a command, that command will be executed as root during the Docker build process, leading to arbitrary code execution.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary commands as root during the Docker image build process when using BentoML's containerization features.
- Attackers can publish malicious BentoML projects with crafted `bentofile.yaml` files that execute harmful commands.
- CI/CD pipelines that automatically build BentoML containers from user-submitted code are at risk of remote code execution.
- Cloud services like BentoCloud that build images from user-supplied configurations may be compromised.
- There is a supply chain risk where shared BentoML models or repositories could propagate malicious code.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the `bentofile.yaml` files used in your BentoML projects, specifically looking at the `docker.system_packages` field for any suspicious or unexpected shell command injections instead of just package names.
You can also monitor Docker build logs or the output of `bentoml containerize` or `bentoml build` commands for unexpected command execution or side effects such as creation of unusual files (e.g., /tmp/bentoml-pwned).
Suggested commands to detect exploitation attempts or suspicious activity include:
- Search for suspicious entries in bentofile.yaml: `grep -E 'system_packages:' -A 5 bentofile.yaml | grep -vE '^[[:space:]]*-'` to find non-package strings.
- Check Docker build logs for unexpected commands or errors.
- Look for unexpected files created during build, e.g., `ls -l /tmp/bentoml-pwned`.
- Use process monitoring tools during build to detect unexpected command execution.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade BentoML to version 1.4.37 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, avoid using or accepting untrusted `bentofile.yaml` files that specify the `docker.system_packages` field.
Implement input validation on the `system_packages` field to ensure only valid package names are allowed, restricting characters to alphanumeric, dots, plus signs, hyphens, underscores, and colons.
Apply output escaping (e.g., using `shlex.quote()` in code and appropriate Jinja2 filters) to sanitize package names before inserting them into Dockerfile commands.
Review and audit CI/CD pipelines and cloud build environments that run BentoML builds to prevent execution of malicious code from crafted `bentofile.yaml` files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows arbitrary code execution during Docker image builds by injecting shell commands into the `system_packages` field of BentoML's configuration. Such unauthorized code execution can lead to compromise of system integrity, confidentiality, and availability.
Because of the high impact on confidentiality, integrity, and availability, this vulnerability poses significant risks to environments that must comply with standards like GDPR and HIPAA, which require strict controls to protect sensitive data and ensure system security.
Specifically, exploitation could lead to unauthorized access or modification of sensitive data, violating data protection requirements and potentially resulting in non-compliance with these regulations.