CVE-2026-35044 Overview
CVE-2026-35044 is a Code Injection vulnerability in BentoML, a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation.
Critical Impact
This vulnerability allows attackers to execute arbitrary Python code on the host machine through malicious Jinja2 templates, completely bypassing container isolation when processing untrusted bento archives.
Affected Products
- BentoML versions prior to 1.4.38
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35044 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35044
Vulnerability Analysis
This vulnerability stems from insecure template processing in BentoML's container generation workflow. The generate_containerfile() function renders user-controlled Dockerfile templates using Jinja2 without proper sandboxing. The inclusion of the jinja2.ext.do extension is particularly dangerous as it allows arbitrary Python expression execution within template tags.
When a user imports a bento archive from an untrusted source and subsequently runs the bentoml containerize command, the malicious template embedded within the archive is processed. The unsandboxed Jinja2 environment interprets attacker-controlled template directives, enabling arbitrary code execution with the privileges of the user running the containerize command.
The vulnerability is classified under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine), highlighting the failure to sanitize or sandbox template inputs before processing.
Root Cause
The root cause is the use of an unsandboxed jinja2.Environment for rendering user-provided dockerfile_template files. The jinja2.ext.do extension enables execution of arbitrary Python statements within templates, which when combined with the lack of sandboxing, allows complete code execution on the host system. BentoML trusted user-provided template content without validating or restricting the template capabilities.
Attack Vector
An attacker crafts a malicious bento archive containing a specially crafted dockerfile_template with embedded Jinja2 template injection payloads. The attack requires user interaction—specifically, the victim must import the malicious bento archive and execute the bentoml containerize command. Upon execution, the malicious Jinja2 template code runs arbitrary Python code directly on the host machine, outside of any container sandbox.
The attack leverages Jinja2's {% do %} extension syntax to execute Python statements. Common exploitation techniques include using Python's built-in functions to access the operating system, read sensitive files, establish reverse shells, or download and execute additional payloads.
Detection Methods for CVE-2026-35044
Indicators of Compromise
- Unexpected Python process executions during bentoml containerize operations
- Suspicious network connections originating from BentoML processes
- Unusual file system access patterns when processing bento archives
- Presence of Jinja2 template syntax containing {% do %} blocks with Python imports or system calls in bento archives
Detection Strategies
- Monitor for suspicious Jinja2 template patterns in imported bento archives, particularly those containing {% do %} directives
- Implement file integrity monitoring on systems running BentoML to detect unauthorized modifications
- Use endpoint detection to identify unusual child process spawning from Python processes running BentoML
- Review imported bento archives for dockerfile_template files containing potentially malicious template code
Monitoring Recommendations
- Enable detailed logging for BentoML operations, particularly containerize workflows
- Monitor process execution chains for unexpected commands spawned during bento archive processing
- Implement network monitoring for unusual outbound connections during containerize operations
- Consider sandboxing BentoML operations in isolated environments when processing untrusted archives
How to Mitigate CVE-2026-35044
Immediate Actions Required
- Upgrade BentoML to version 1.4.38 or later immediately
- Audit all recently imported bento archives for potentially malicious template content
- Avoid importing or containerizing bento archives from untrusted sources until the patch is applied
- Review system logs for any signs of compromise related to BentoML containerize operations
Patch Information
This vulnerability is fixed in BentoML version 1.4.38. The patch addresses the insecure template rendering by implementing proper sandboxing for the Jinja2 environment used in Dockerfile generation. Users should upgrade to this version or later to remediate the vulnerability.
For additional details, refer to the GitHub Security Advisory.
Workarounds
- Only import and containerize bento archives from trusted, verified sources
- Manually inspect dockerfile_template files within bento archives before running containerize commands
- Run BentoML containerize operations in isolated virtual machines or sandboxed environments to limit potential impact
- Implement network segmentation to restrict outbound connections from systems processing untrusted bento archives
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
