Security Advisory - Published 2026-05-28

CVE-2026-44329: BentoML Dockerfile Injection Self-Check

CVE-2026-44329 affects BentoML build workflows that containerize untrusted or shared Bentos. A crafted bento.yaml can alter the generated Dockerfile during bentoml containerize. Check CI pipelines, model intake workflows, and build hosts before continuing to containerize external submissions.

What's actually happening here

BentoML is a popular open-source framework for serving ML models. When you run bentoml containerize, it generates a Dockerfile from a Jinja2 template. The template file base_v2.j2 interpolates the docker.base_image field from bento.yaml directly - no escaping, no newline filtering, no validation whatsoever.

So an attacker crafts a bento.yaml with a multi-line docker.base_image value. The newlines break out of the FROM directive and inject arbitrary RUN commands into the generated Dockerfile. When docker build runs, those injected commands execute with whatever privileges Docker has - which on most setups means root on the host.

If your CI pipeline imports third-party Bentos and containerizes them, treat the build host as part of the exposure. Public PoC material exists, and the fix landed in BentoML 1.4.39.

Am I affected?

You're affected if:

  • You run BentoML < 1.4.39
  • You import Bentos from external sources (model hubs, shared repos, client submissions)
  • You run bentoml containerize anywhere - local dev, CI, staging, prod

Even if you only containerize your own models, you're technically vulnerable if anyone with write access to your bento.yaml goes rogue.

Check your BentoML version

# Python environment where BentoML is installed
pip show bentoml | grep Version

# Or check from within Python
python -c "import bentoml; print(bentoml.__version__)"

If the version is below 1.4.39, you're vulnerable. Full stop.

Check for signs of exploitation

If you've been importing external Bentos and containerizing them, check your Docker build history for suspicious activity:

# Look at recent Docker build logs for unexpected RUN commands
docker history --no-trunc $(docker images -q --filter "reference=*bento*") 2>/dev/null

# Check for containers that ran unexpected commands
docker ps -a --filter "status=exited" --format "table {{.Names}}\t{{.Command}}\t{{.Status}}"

# Scan for recently modified system files on build hosts
find /tmp -name "*.sh" -newer /etc/passwd -ls 2>/dev/null
find /var/tmp -type f -newer /etc/passwd -ls 2>/dev/null

The fix

# Upgrade immediately
pip install --upgrade bentoml>=1.4.39

# If you can't upgrade right now, stop importing external Bentos
# and audit any bento.yaml files for multi-line docker.base_image values:
grep -rn "base_image" bentofile.yaml bento.yaml 2>/dev/null

The patch adds proper validation and escaping to the template rendering. Multi-line values in docker.base_image now get rejected before they reach the Dockerfile generator.

Why this matters beyond BentoML

This is not only a BentoML maintenance issue. It is the same build-time code execution pattern that affects any system generating Dockerfiles from untrusted input. If your pipeline interpolates external values into a Dockerfile template, review that path too.

Audit Dockerfile generators that touch FROM, RUN, ENV, or ARG. Values from model metadata, client uploads, build variables, or repository manifests need validation before they reach a template.

Need help?

Ping7 can review the BentoML version, CI build history, Dockerfile generation path, and build-host indicators. Start from CVE Repair if the build host handled external Bentos or you cannot confirm where bento.yaml files came from.

  • Free quick check: Send the BentoML version and whether external Bentos were containerized.
  • Patch review: $99 for single-service environments.
  • CI/CD security audit: $299 - Dockerfile generation, secrets handling, and build isolation.

Request CVE repair ->

References