Executive Summary

CVE-2026-35043 is a critical remote code execution vulnerability in BentoML versions up to 1.4.37. It occurs because the cloud deployment setup script directly inserts user-controlled package names into a shell command without proper quoting or sanitization.

Specifically, the vulnerability is in the function that builds the setup script for installing system packages, where package names from a configuration file (bentofile.yaml) are interpolated into an apt-get install command using an f-string without escaping shell metacharacters.

An attacker can craft malicious package names containing shell metacharacters like semicolons and command substitutions to break out of the intended command and execute arbitrary commands on the cloud build infrastructure during deployment.

This allows remote code execution on the CI/CD tier, potentially compromising the build environment and infrastructure.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability enables remote code execution on the cloud build infrastructure during deployment, which can lead to severe risks such as supply chain attacks, insider threats, and CI/CD pipeline compromises.

Because the build environment has elevated privileges and access to container registries, artifact storage, and deployment APIs, exploitation could result in unauthorized access to sensitive data or systems.

Such unauthorized access and potential data exfiltration could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information.

Therefore, this vulnerability poses a risk to maintaining compliance with these regulations by potentially exposing sensitive data through compromised build infrastructure.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to remote code execution on the cloud build infrastructure or enterprise Kubernetes build nodes during deployment.

• Attackers can execute arbitrary commands with elevated privileges in the build environment.
• It enables supply chain attacks by poisoning Bento packages.
• It can facilitate insider threats through malicious deployment configurations.
• It compromises the CI/CD pipeline, potentially allowing attackers to access container registries, artifact storage, and deployment APIs.

Overall, this vulnerability poses severe risks to the security and integrity of your software deployment and infrastructure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious command injection patterns in the system_packages entries within the bentofile.yaml used during deployment.

Specifically, look for suspicious shell metacharacters such as semicolons, command substitutions, or unusual use of variables like ${IFS} in the package names.

One way to detect exploitation attempts is to inspect the generated setup.sh script for injected commands or unexpected commands following the apt-get install line.

On a system where the vulnerability might have been exploited, you can check for artifacts such as unexpected files created by injected commands (e.g., /tmp/PWNED_BY_INJECTION).

Suggested commands include:

• grep -E 'system_packages:.*[;\$\(\)]' bentofile.yaml
• grep -E 'apt-get install.*;' setup.sh
• ls -l /tmp | grep PWNED_BY_INJECTION

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade BentoML to version 1.4.38 or later, where the vulnerability has been fixed by properly quoting system package names to prevent command injection.

Until the upgrade is applied, avoid using untrusted or user-controlled inputs in the system_packages field of bentofile.yaml to prevent injection of malicious commands.

Review and sanitize any existing bentofile.yaml configurations to ensure no shell metacharacters or command injection payloads are present.

Additionally, monitor your CI/CD build infrastructure for suspicious activity or unexpected commands executed during deployment.

Useful 0 Not Useful 0