Security Advisory - Published 2026-05-28
CVE-2026-44329: BentoML Dockerfile Injection Self-Check
CVE-2026-44329 affects BentoML build workflows that containerize untrusted or shared
Bentos. A crafted bento.yaml can alter the generated Dockerfile during
bentoml containerize. Check CI pipelines, model intake workflows, and
build hosts before continuing to containerize external submissions.
What's actually happening here
BentoML is a popular open-source framework for serving ML models. When you run
bentoml containerize, it generates a Dockerfile from a Jinja2 template.
The template file base_v2.j2 interpolates the docker.base_image
field from bento.yaml directly - no escaping, no newline filtering, no
validation whatsoever.
So an attacker crafts a bento.yaml with a multi-line
docker.base_image value. The newlines break out of the FROM
directive and inject arbitrary RUN commands into the generated Dockerfile.
When docker build runs, those injected commands execute with whatever
privileges Docker has - which on most setups means root on the host.
If your CI pipeline imports third-party Bentos and containerizes them, treat the build host as part of the exposure. Public PoC material exists, and the fix landed in BentoML 1.4.39.
Am I affected?
You're affected if:
- You run BentoML < 1.4.39
- You import Bentos from external sources (model hubs, shared repos, client submissions)
- You run
bentoml containerizeanywhere - local dev, CI, staging, prod
Even if you only containerize your own models, you're technically vulnerable if anyone
with write access to your bento.yaml goes rogue.
Check your BentoML version
# Python environment where BentoML is installed
pip show bentoml | grep Version
# Or check from within Python
python -c "import bentoml; print(bentoml.__version__)"
If the version is below 1.4.39, you're vulnerable. Full stop.
Check for signs of exploitation
If you've been importing external Bentos and containerizing them, check your Docker build history for suspicious activity:
# Look at recent Docker build logs for unexpected RUN commands
docker history --no-trunc $(docker images -q --filter "reference=*bento*") 2>/dev/null
# Check for containers that ran unexpected commands
docker ps -a --filter "status=exited" --format "table {{.Names}}\t{{.Command}}\t{{.Status}}"
# Scan for recently modified system files on build hosts
find /tmp -name "*.sh" -newer /etc/passwd -ls 2>/dev/null
find /var/tmp -type f -newer /etc/passwd -ls 2>/dev/null The fix
# Upgrade immediately
pip install --upgrade bentoml>=1.4.39
# If you can't upgrade right now, stop importing external Bentos
# and audit any bento.yaml files for multi-line docker.base_image values:
grep -rn "base_image" bentofile.yaml bento.yaml 2>/dev/null
The patch adds proper validation and escaping to the template rendering. Multi-line
values in docker.base_image now get rejected before they reach the
Dockerfile generator.
Why this matters beyond BentoML
This is not only a BentoML maintenance issue. It is the same build-time code execution pattern that affects any system generating Dockerfiles from untrusted input. If your pipeline interpolates external values into a Dockerfile template, review that path too.
Audit Dockerfile generators that touch FROM, RUN,
ENV, or ARG. Values from model metadata, client uploads,
build variables, or repository manifests need validation before they reach a template.
Need help?
Ping7 can review the BentoML version, CI build history, Dockerfile generation path,
and build-host indicators. Start from CVE Repair if the build host handled external
Bentos or you cannot confirm where bento.yaml files came from.
- Free quick check: Send the BentoML version and whether external Bentos were containerized.
- Patch review: $99 for single-service environments.
- CI/CD security audit: $299 - Dockerfile generation, secrets handling, and build isolation.
References
- NVD: CVE-2026-44329
- GitHub Advisory: GHSA-78f9-r8mh-4xm2
- Fixed in: BentoML 1.4.39
- CWE-78: OS Command Injection