CVE-2026-35044

HIGH

BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation

Title source: cna

Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.

References (1)

[X_Refsource_Confirm] https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6

Scores

CVSS v3 8.8

EPSS 0.0002

EPSS Percentile 3.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-1336

Status published

Products (3)

bentoml/bentoml < 1.4.38

bentoml/BentoML < 1.4.38

pypi/bentoml 0 - 1.4.38PyPI

Published Apr 06, 2026

Tracked Since Apr 06, 2026