Platform
python
Component
docker
Fixed in
1.4.38
1.4.37
1.4.38
CVE-2026-33744 is a command injection vulnerability discovered in BentoML, a Python library for building online serving systems for AI applications. This flaw arises from insufficient sanitization of user-provided input within the docker.system_packages field of the bentofile.yaml configuration file, allowing arbitrary commands to be executed during the containerization process. The vulnerability affects versions of BentoML up to 1.4.37, and a patch is available in version 1.4.37.
An attacker can exploit this vulnerability by crafting a malicious bentofile.yaml file. This file, when used with the bentoml containerize or docker build commands, will inject arbitrary shell commands into the Dockerfile. Successful exploitation allows the attacker to execute commands within the container's build environment, potentially gaining control over the container image and any subsequent deployments. This could lead to data exfiltration, malware installation, or disruption of AI model serving infrastructure. The blast radius extends to any system relying on BentoML-built container images, particularly those involved in sensitive AI applications.
This vulnerability was publicly disclosed on 2026-03-27. There is currently no indication of active exploitation in the wild. No Proof-of-Concept (PoC) code has been publicly released. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of command injection and the potential for remote code execution, it is prudent to prioritize patching and mitigation.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade BentoML to version 1.4.37 or later, which includes a fix for the vulnerability. If upgrading immediately is not feasible, consider implementing input validation on the docker.systempackages field to prevent the injection of malicious commands. While not a complete solution, restricting the allowed characters or validating against a whitelist of known package names can reduce the attack surface. Review existing bentofile.yaml files for suspicious entries. There are no specific WAF rules or detection signatures readily available, so focusing on secure coding practices and timely patching is crucial. After upgrading, confirm the fix by attempting to build a container image with a bentofile.yaml containing a deliberately malicious systempackages entry; the build should fail with an error indicating invalid input.
Update BentoML to version 1.4.37 or higher. This corrects the command injection vulnerability in the bentofile.yaml file. The update can be performed using the pip package manager: `pip install -U bentoml`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33744 is a command injection vulnerability in BentoML versions up to 1.4.37. It allows attackers to execute arbitrary commands during container image builds by manipulating the docker.system_packages field in bentofile.yaml.
You are affected if you are using BentoML versions 1.4.37 or earlier. Carefully review your bentofile.yaml configurations.
Upgrade to BentoML version 1.4.37 or later to resolve the vulnerability. Implement input validation on the docker.system_packages field as an interim measure.
There is currently no evidence of active exploitation in the wild, but the vulnerability's severity warrants prompt mitigation.
Refer to the official BentoML security advisory for detailed information and updates: [https://github.com/bentoml/bentoml/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL when available)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.