CVE-2026-40610 bentoml CVE debrief

Who should care

Organizations using BentoML for ML model serving in multi-tenant or CI/CD environments; security teams reviewing supply chain risks in AI/ML infrastructure; developers building from external or untrusted model repositories

Technical summary

The vulnerability exists in BentoML's build packaging workflow where symlinks within the build context are followed and dereferenced during artifact creation. An attacker can craft a malicious repository containing symlinks pointing to sensitive files on the build host (e.g., /etc/passwd, ~/.aws/credentials, ~/.ssh/id_rsa). When bentoml build executes, the symlink target contents are read and packaged into the Bento artifact. The attack requires local access to place files in the build context and user interaction to trigger the build process. Post-build workflows including export, push, and containerization can further distribute the exfiltrated data. The fix in v1.4.39 addresses the symlink handling behavior.

Defensive priority

medium

Recommended defensive actions

• Upgrade BentoML to version 1.4.39 or later
• Audit existing Bento artifacts built from untrusted sources for unexpected file contents
• Review build contexts and repositories before executing bentoml build
• Implement build isolation and sandboxing for CI/CD pipelines processing external repositories
• Scan Bento artifacts for sensitive file patterns before export or push operations
• Validate that build environments do not contain sensitive files in predictable locations

Evidence notes

CVE published 2026-05-22; modified 2026-05-26. CVSS 3.1 score 5.5 (MEDIUM). CWE-59 (Improper Link Resolution Before File Access). Fixed in BentoML v1.4.39 per GitHub Security Advisory GHSA-mcfx-4vc6-qgxv.

Official resources