CVE-2026-24123 Overview
CVE-2026-24123 is a path traversal vulnerability in BentoML, a Python library for building online serving systems optimized for AI applications and model inference. Prior to version 1.4.34, BentoML's bentofile.yaml configuration allows path traversal attacks through multiple file path fields including description, docker.setup_script, docker.dockerfile_template, and conda.environment_yml. An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files such as SSH keys, credentials, and environment variables are silently embedded in bentos and exposed when pushed to registries or deployed.
Critical Impact
This vulnerability enables supply chain attacks by allowing attackers to exfiltrate sensitive files (SSH keys, credentials, environment variables) from build systems into bento archives, potentially exposing them when pushed to registries or deployed.
Affected Products
- BentoML versions prior to 1.4.34
- Applications using bentofile.yaml configuration with vulnerable path fields
- AI/ML serving systems built with vulnerable BentoML versions
Discovery Timeline
- 2026-01-26 - CVE CVE-2026-24123 published to NVD
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2026-24123
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in BentoML's handling of file path fields within the bentofile.yaml configuration. The vulnerability allows attackers to escape the intended directory structure and access files outside the project scope. When a victim builds a bento using a malicious configuration, arbitrary files from their filesystem can be silently included in the resulting bento archive. This is particularly dangerous in CI/CD environments where build systems often have access to sensitive credentials and deployment keys.
The attack requires user interaction—specifically, a victim must build a bento using a maliciously crafted bentofile.yaml. However, the network-based attack vector combined with the potential for high confidentiality impact makes this a significant supply chain security concern.
Root Cause
The root cause of CVE-2026-24123 lies in insufficient path validation when processing file path fields in the bentofile.yaml configuration. The vulnerable fields (description, docker.setup_script, docker.dockerfile_template, conda.environment_yml) did not properly sanitize or validate user-supplied paths, allowing directory traversal sequences (e.g., ../) to escape the intended build context. The absence of the resolve_user_filepath utility function in path resolution logic enabled attackers to reference files outside the project directory.
Attack Vector
The attack is network-based and requires user interaction. An attacker can distribute a malicious bentofile.yaml through various channels such as shared repositories, pull requests, or social engineering. When an unsuspecting developer builds a bento using this configuration, the path traversal payload causes sensitive files from their local filesystem to be embedded in the bento archive. These files are then exposed when the bento is pushed to a registry or deployed, potentially leaking SSH keys, API tokens, environment variables, and other credentials.
# Security patch adding resolve_user_filepath to images.py
from bentoml._internal.container import split_envs_by_stage
from bentoml._internal.container.frontend.dockerfile import CONTAINER_METADATA
from bentoml._internal.container.frontend.dockerfile import CONTAINER_SUPPORTED_DISTROS
+from bentoml._internal.utils.filesystem import chdir
+from bentoml._internal.utils.filesystem import resolve_user_filepath
from bentoml.exceptions import BentoMLConfigException
from bentoml.exceptions import BentoMLException
Source: GitHub Commit Update
# Security patch adding resolve_user_filepath to bento.py
from ..types import PathType
from ..utils import normalize_labels_value
from ..utils.cattr import bentoml_cattr
+from ..utils.filesystem import resolve_user_filepath
from ..utils.filesystem import safe_remove_dir
from .build_config import BentoBuildConfig
from .build_config import BentoEnvSchema
Source: GitHub Commit Update
Detection Methods for CVE-2026-24123
Indicators of Compromise
- Presence of bentofile.yaml files containing path traversal sequences such as ../ in file path fields
- Unexpected files appearing in bento archives, particularly credentials, SSH keys, or environment files
- Suspicious entries in build logs referencing files outside the project directory
- Bento archives containing files from system directories like /etc/, ~/.ssh/, or credential storage locations
Detection Strategies
- Implement static analysis scanning of bentofile.yaml configurations to detect path traversal patterns before builds execute
- Use file integrity monitoring on sensitive directories during bento build processes
- Configure SentinelOne to monitor for suspicious file access patterns during CI/CD pipeline execution
- Deploy content inspection on bento archives before pushing to registries to detect unauthorized file inclusion
Monitoring Recommendations
- Enable logging and auditing of all file access during BentoML build operations
- Monitor build environments for access to sensitive system files and credential stores
- Implement registry scanning to inspect bento contents before deployment
- Configure alerts for builds that reference paths outside the expected project directory structure
How to Mitigate CVE-2026-24123
Immediate Actions Required
- Upgrade BentoML to version 1.4.34 or later immediately
- Audit all existing bentofile.yaml configurations for suspicious path traversal patterns
- Review recently built bentos for unauthorized file inclusion
- Rotate any credentials that may have been exposed in builds created with vulnerable versions
Patch Information
The vulnerability has been addressed in BentoML version 1.4.34. The patch introduces the resolve_user_filepath utility function to properly validate and sanitize file paths in bentofile.yaml configurations. The fix ensures that all user-supplied paths are resolved within the intended build context, preventing directory traversal attacks.
For more information, see the GitHub Security Advisory GHSA-6r62-w2q3-48hf and the GitHub Release v1.4.34.
Workarounds
- Manually review all bentofile.yaml configurations and reject any containing path traversal sequences
- Implement pre-build validation scripts to check for suspicious path patterns in configuration files
- Run bento builds in isolated, sandboxed environments with limited access to sensitive files
- Use read-only mounts for directories containing credentials when executing build processes
# Configuration example - Upgrade BentoML to patched version
pip install --upgrade bentoml>=1.4.34
# Verify installed version
python -c "import bentoml; print(bentoml.__version__)"
# Scan bentofile.yaml for path traversal patterns
grep -rE "\.\./|\.\.\\\\|/etc/|~/" bentofile.yaml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
