CVE-2026-35043 Overview
CVE-2026-35043 is a command injection vulnerability in BentoML, a Python library for building online serving systems optimized for AI applications and model inference. The vulnerability exists in the cloud deployment path within src/bentoml/_internal/cloud/deployment.py, which was not included in the fix for a previous related vulnerability (CVE-2026-33744). The flaw allows attackers to execute arbitrary commands on the cloud build infrastructure during deployment.
Critical Impact
Attackers can achieve remote code execution on the CI/CD tier by exploiting improper command string construction in the cloud deployment module, potentially compromising the entire build infrastructure.
Affected Products
- BentoML versions prior to 1.4.38
- BentoCloud deployments using vulnerable BentoML versions
- CI/CD pipelines utilizing BentoML cloud deployment features
Discovery Timeline
- 2026-04-06 - CVE-2026-35043 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35043
Vulnerability Analysis
This command injection vulnerability (CWE-78) exists because the system_packages parameter at line 1648 of the deployment module is directly interpolated into a shell command using a Python f-string without proper quoting or sanitization. The generated script is then uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment.
The vulnerability is particularly concerning because it affects the CI/CD tier, meaning successful exploitation could lead to compromise of the build infrastructure itself, potentially affecting multiple deployments and introducing supply chain risks.
Root Cause
The root cause is improper neutralization of special elements used in an OS command. The code constructs a shell command by directly inserting user-controllable input (system_packages) into a command string using Python f-string formatting. Without proper escaping, quoting, or input validation, an attacker can inject additional shell commands that will be executed during the deployment process.
This vulnerability represents an incomplete fix for CVE-2026-33744, as the cloud deployment path was overlooked during the initial remediation effort.
Attack Vector
The attack vector requires local access with user interaction. An attacker with the ability to influence the system_packages parameter during BentoML cloud deployment can inject malicious shell commands. When the generated setup.sh script is executed on BentoCloud's build infrastructure, the injected commands will run with the privileges of the build process.
For example, a malicious package name containing shell metacharacters like semicolons, backticks, or command substitution syntax could break out of the intended command context and execute arbitrary code. The attacker could potentially exfiltrate secrets, install backdoors, or modify build artifacts.
For technical details on the vulnerable code path, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35043
Indicators of Compromise
- Unusual or unexpected commands in setup.sh scripts uploaded to BentoCloud
- Anomalous process execution during cloud deployment builds
- Unexpected network connections from build infrastructure
- Modified or tampered deployment artifacts
Detection Strategies
- Monitor BentoML deployment configurations for suspicious system_packages entries containing shell metacharacters (;, |, $(), backticks)
- Implement logging and alerting on cloud deployment script generation
- Review deployment logs for unexpected command execution patterns
- Audit build infrastructure for unauthorized file modifications or process spawning
Monitoring Recommendations
- Enable comprehensive logging for all BentoCloud deployment activities
- Monitor for attempts to include shell metacharacters in deployment parameters
- Implement file integrity monitoring on build infrastructure
- Set up alerts for unusual outbound network traffic from CI/CD systems
How to Mitigate CVE-2026-35043
Immediate Actions Required
- Upgrade BentoML to version 1.4.38 or later immediately
- Audit recent cloud deployments for potentially malicious configurations
- Review deployment logs for signs of exploitation
- Temporarily disable cloud deployment features if upgrade is not immediately possible
Patch Information
The vulnerability has been fixed in BentoML version 1.4.38. The fix properly sanitizes the system_packages parameter before interpolation into shell commands. Organizations should update their BentoML installations to version 1.4.38 or later.
For additional details, see the GitHub Security Advisory.
Workarounds
- If immediate upgrade is not possible, avoid using the cloud deployment feature until patched
- Implement strict input validation on any user-provided deployment parameters
- Use allowlisting for system_packages values to prevent injection of malicious content
- Consider deploying BentoML models through alternative mechanisms that do not use the vulnerable code path
# Upgrade BentoML to the patched version
pip install --upgrade bentoml>=1.4.38
# Verify the installed version
pip show bentoml | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
