Platform
python
Component
docker
Fixed in
1.4.39
1.4.38
1.4.39
CVE-2026-35044 is a remote code execution (RCE) vulnerability affecting BentoML, a Python library for building online serving systems for AI applications. An attacker can exploit this vulnerability by importing a malicious Bento archive and triggering the containerization process, leading to arbitrary Python code execution on the host machine, effectively bypassing container isolation. This vulnerability impacts versions of BentoML up to and including 1.4.38, and a fix is available in version 1.4.38.
The primary impact of CVE-2026-35044 is the potential for complete host compromise. An attacker who can successfully import a malicious Bento archive can execute arbitrary Python code with the privileges of the user running the bentoml containerize command. This could lead to data exfiltration, system takeover, or further attacks against other systems on the network. The vulnerability's ability to bypass container isolation significantly elevates the risk, as it circumvents a key security mechanism designed to isolate applications. This is similar to vulnerabilities that exploit Jinja2 templating engines where untrusted input is rendered without proper sanitization.
CVE-2026-35044 was publicly disclosed on 2026-04-06. The EPSS score is currently pending evaluation, but the RCE nature of the vulnerability suggests a potentially high probability of exploitation. Public proof-of-concept code is likely to emerge given the vulnerability's severity and the ease of exploitation. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35044 is to upgrade BentoML to version 1.4.38 or later. If upgrading is not immediately feasible, consider restricting the sources from which Bento archives are imported to trusted locations only. Thoroughly review any Bento archives before importing them, paying close attention to any unusual or unexpected code. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for suspicious activity related to BentoML containerization processes. There are no specific Sigma or YARA rules available at this time, but monitoring Python process execution for unexpected behavior is recommended.
Update to version 1.4.38 or higher to mitigate the vulnerability. This version fixes the issue by removing the use of an unprotected Jinja2 environment in Dockerfile generation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35044 is a remote code execution vulnerability in BentoML versions up to 1.4.38. It allows attackers to execute arbitrary Python code on the host machine by importing malicious Bento archives.
You are affected if you are using BentoML versions 1.4.38 or earlier. Upgrade to 1.4.38 to resolve the vulnerability.
Upgrade BentoML to version 1.4.38 or later. Restrict the sources of Bento archives you import to trusted locations.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation in the near future.
Refer to the official BentoML security advisory for detailed information and updates: [https://github.com/bentoml/bentoml/security/advisories/GHSA-5g93-449x-647f]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.