Executive Summary

CVE-2026-35044 is a high-severity Server-Side Template Injection (SSTI) vulnerability in the BentoML Python library versions up to 1.4.37. The vulnerability occurs in the Dockerfile generation function generate_containerfile(), which uses an unsandboxed Jinja2 environment with dangerous extensions to render user-provided Dockerfile templates.

Because the Jinja2 environment is unsandboxed and includes extensions like jinja2.ext.do and jinja2.ext.debug, an attacker can embed malicious Jinja2 template code in a Bento archive. When a victim imports this malicious archive and runs bentoml containerize, the attacker-controlled template executes arbitrary Python code directly on the host machine, bypassing Docker container isolation.

This means the attacker can run any Python code on the host before any container is created, leading to full host compromise.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary Python code on the host machine of any user who imports and containerizes a malicious Bento archive.

• Full arbitrary code execution on the host machine.
• Potential access to sensitive host filesystem data such as source code, credentials, SSH keys, and cloud tokens.
• Ability to install backdoors or pivot to other systems.
• Exposure of environment variables containing secrets like API keys and database credentials.
• Risk of supply chain compromise, especially if the victim’s machine is part of CI/CD pipelines.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your BentoML installation is using a vulnerable version (prior to 1.4.38) and if the Dockerfile generation function uses an unsandboxed Jinja2 environment with dangerous extensions like jinja2.ext.do and jinja2.ext.debug.

To detect exploitation attempts, you can look for unexpected files or commands executed on the host, such as the presence of files like /tmp/pwned which may indicate arbitrary code execution.

Suggested commands to check for signs of exploitation or vulnerability include:

• Check BentoML version: `bentoml --version` or inspect installed package version via `pip show bentoml`.
• Search for suspicious files created by exploitation payloads, e.g., `ls -l /tmp/pwned`.
• Monitor recent commands or processes that might indicate template injection, e.g., `ps aux | grep bentoml` or check shell history for unusual `bentoml containerize` usage.
• Audit Bento archives imported recently for malicious Dockerfile templates containing Jinja2 payloads.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade BentoML to version 1.4.38 or later, where the vulnerability is fixed.

This fix replaces the unsandboxed Jinja2 environment with a sandboxed one and removes dangerous extensions like jinja2.ext.do and jinja2.ext.debug from the Dockerfile generation process.

Additionally, avoid importing and containerizing untrusted Bento archives, as malicious templates embedded in these archives can execute arbitrary code on the host.

If upgrading immediately is not possible, consider auditing and sanitizing any Bento archives before importing and containerizing them.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to execute arbitrary Python code on the host machine, potentially leading to full host compromise.

Such a compromise can result in unauthorized access to sensitive data including source code, credentials, SSH keys, cloud tokens, and environment variables containing secrets like API keys and database credentials.

Exposure or theft of sensitive personal or protected health information due to this vulnerability could lead to non-compliance with regulations such as GDPR and HIPAA, which mandate strict controls over data confidentiality and integrity.

Additionally, the risk of supply chain compromise, especially in CI/CD pipelines, increases the likelihood of widespread data breaches and regulatory violations.

Useful 0 Not Useful 0