{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33744", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.562Z", "datePublished": "2026-03-27T00:45:08.108Z", "dateUpdated": "2026-03-27T00:45:08.108Z"}, "containers": {"cna": {"title": "BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf"}], "affected": [{"vendor": "bentoml", "product": "BentoML", "versions": [{"version": "< 1.4.37", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:45:08.108Z"}, "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue."}], "source": {"advisory": "GHSA-jfjg-vc52-wqvf", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue."}], "id": "CVE-2026-33744", "lastModified": "2026-03-27T01:16:21.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:21.007", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.37)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "BentoML", "source": "cna", "vendor": "bentoml"}, "product": "bentoml", "vendor": "bentoml"}], "analysis": {"en": {"generated_at": "2026-03-27T06:22:55.400325+00:00", "value": {"mitigation_remediation": ["Upgrade BentoML to version 1.4.37 or later.", "Verify bentofile.yaml content for unexpected shell commands before running containerize.", "If upgrading is not yet possible, manually sanitize or remove the system_packages field or ensure it contains only trusted package names.", "Implement process isolation so that the docker build runs in a restricted, non\u2011privileged environment."], "summary": {"action": "Patch immediately", "impact": "Dockerfile command injection during containerization"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the BentoML library when the system_packages field is enabled in bentofile.yaml in every build from any version earlier than 1.4.37. Users of BentoML 1.4.36 and earlier are impacted. The issue was corrected in version 1.4.37, so any release 1.4.37 or later is not vulnerable.", "description_and_impact": "BentoML versions prior to 1.4.37 allow arbitrary strings supplied in the system_packages field of bentofile.yaml to be interpolated directly into Dockerfile RUN commands without any sanitization. This flaw is a form of command injection that lets an attacker execute whichever shell commands they embed when they run bentoml containerize or the subsequent docker build. The result is that the attacker can add malicious binaries, modify the image contents, or otherwise compromise the build process, potentially leading to full control over the image that will later run in production environments.", "risk_and_exploitability": "With a CVSS score of 7.8 the flaw is classified as high severity. The exploit requires the attacker to control or supply the bentofile.yaml used during image creation, which is typically a local privilege or supply chain situation. Because the flaw allows arbitrary code to run in the build environment, it can lead to container breakouts if the build host is not isolated, and any container built from a compromised image inherits the attacker\u2019s code. No EPSS data is available, and the vulnerability is not currently listed in the CISA KEV catalog, but the high CVSS score and ability to fully compromise the image make the risk significant for organizations that rely on BentoML for production deployments."}}}}, "created": "2026-03-27T08:31:05.585341+00:00", "updated": "2026-03-27T09:22:28.048214+00:00", "vendors": ["bentoml", "bentoml$PRODUCT$bentoml"]}