Vulnerability Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bentoml | Bentoml | < 1.4.38 |
Related Weaknesses (CWE)
References
- https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6ExploitVendor Advisory
FAQ
What is CVE-2026-35044?
CVE-2026-35044 is a vulnerability with a CVSS score of 8.8 (HIGH). BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_...
How severe is CVE-2026-35044?
CVE-2026-35044 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35044?
Check the references section above for vendor advisories and patch information. Affected products include: Bentoml Bentoml.