CVE-2026-44345

HIGH

BentoML: Dockerfile command injection via docker.base_image

Title source: cna

Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2 interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host. This vulnerability is fixed in 1.4.39.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2

Scores

CVSS v3 8.8

EPSS 0.0026

EPSS Percentile 17.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (3)

bentoml/bentoml < 1.4.39

bentoml/BentoML < 1.4.39

pypi/bentoml 0 - 1.4.39PyPI

Published May 27, 2026

Tracked Since May 27, 2026