PatchSiren cyber security CVE debrief
CVE-2026-44345 bentoml CVE debrief
BentoML versions prior to 1.4.39 contain a template injection vulnerability in the container build pipeline. The Jinja2 template at `src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2` interpolates the `docker.base_image` configuration value without escaping, newline filtering, or validation. A maliciously crafted `bento.yaml` file with a multi-line `docker.base_image` value can inject arbitrary Dockerfile directives. When `bentoml containerize` is executed, the generated Dockerfile containing injected `RUN` directives is passed to `docker build`, resulting in arbitrary command execution on the victim host during the build process. This vulnerability requires user interaction to trigger (loading a malicious bento configuration), but the attack vector is network-accessible and the impact is high (confidentiality, integrity, and availability compromise). The CVSS 3.1 score of 8.8 reflects high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and high impact across all three security dimensions.
- Vendor
- bentoml
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations using BentoML for ML model serving infrastructure, particularly those with automated containerization pipelines or accepting bento configurations from external contributors. DevOps and MLOps teams responsible for secure build pipelines. Security teams monitoring for supply chain attacks targeting ML/AI infrastructure.
Technical summary
The vulnerability exists in the Jinja2 template processing within BentoML's container frontend. The `base_v2.j2` template directly interpolates `{{ docker.base_image }}` without applying Jinja2's `|e` (escape) filter or validating that the value is a single-line, valid container image reference. An attacker can craft a bento.yaml with a payload such as `base_image: 'ubuntu:22.04' + chr(10) + 'RUN malicious_command'` (or equivalent YAML multi-line syntax). When `bentoml containerize` processes this configuration, the template generates a Dockerfile where the injected newline terminates the FROM directive and subsequent lines become valid Dockerfile instructions. The `docker build` execution then processes these attacker-controlled directives with host-level privileges. This represents a form of server-side template injection (SSTI) specifically targeting container build pipelines, with exploitation occurring at build time rather than runtime.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade BentoML to version 1.4.39 or later to remediate the template injection vulnerability
- Audit bento.yaml configuration files in use, especially those from untrusted sources, for suspicious multi-line docker.base_image values
- Implement input validation and sanitization for docker.base_image values in CI/CD pipelines before containerization
- Review container build logs for unexpected RUN directives that may indicate exploitation attempts
- Consider using read-only build contexts and restricted Docker daemon configurations to limit impact of potential injection attacks
- Enable software composition analysis (SCA) scanning to detect vulnerable BentoML versions in dependency manifests
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-78f9-r8mh-4xm2. CWE-78 (OS Command Injection) classification applied. Fix version 1.4.39 explicitly mentioned in advisory. Template injection occurs in base_v2.j2 with direct interpolation of docker.base_image.
Official resources
-
CVE-2026-44345 CVE record
CVE.org
-
CVE-2026-44345 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27