Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
Docker Command Injection in BentoML via bentofile.yaml
GHSA-jfjg-vc52-wqvf
CVE-2026-33744
Summary
BentoML's Dockerfile generation in bentofile.yaml allows a malicious user to execute arbitrary system commands when building a container. This can happen if a user includes a malicious string in the system_packages field of bentofile.yaml. To prevent this, ensure that the system_packages field only contains valid package names and do not include any shell commands. Consider using a safe and trusted source for package names.
What to do
- Update bentoml to version 1.4.37.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | bentoml | <= 1.4.36 | 1.4.37 |
Original title
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary ...
Original description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.
ghsa CVSS3.1
7.8
Vulnerability type
CWE-94
Code Injection
Published: 27 Mar 2026 · Updated: 27 Mar 2026 · First seen: 26 Mar 2026