CVE-2026-40610 Overview
CVE-2026-40610 is a symlink following vulnerability in BentoML, a Python library for building online serving systems for AI applications and model inference. The build packaging workflow in versions 1.4.38 and prior dereferences attacker-controlled symlinks inside the build context. When bentoml build runs against an untrusted repository, the tool copies the contents of symlink targets into the generated Bento artifact. Attackers can exfiltrate sensitive local files such as cloud credentials, SSH keys, API tokens, and environment files. The leaked contents propagate further through export, push, and containerization workflows. The issue is fixed in version 1.4.39 [CWE-59].
Critical Impact
An attacker who supplies a malicious build context can exfiltrate arbitrary files from the build host into Bento artifacts, exposing secrets that then propagate through downstream export, push, and container workflows.
Affected Products
- BentoML versions 1.4.38 and prior
- BentoML build packaging workflow (bentoml build)
- Downstream artifacts produced by export, push, and containerization workflows
Discovery Timeline
- 2026-05-22 - CVE-2026-40610 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-40610
Vulnerability Analysis
The vulnerability resides in the BentoML build packaging logic in src/bentoml/_internal/bento/bento.py. When constructing a Bento artifact, the code walks the build context and copies referenced files into the artifact directory using shutil.copy. The default behavior of shutil.copy follows symbolic links and copies the contents of the link target rather than the link itself. An attacker who controls the build context can plant a symlink such as loot.txt -> /tmp/outside-marker.txt or a link pointing to a more sensitive file like ~/.aws/credentials or ~/.ssh/id_rsa. When the victim runs bentoml build, BentoML dereferences the symlink and packages the target file contents into the Bento.
Root Cause
The root cause is improper link resolution before file access [CWE-59]. The copy operation in BentoStore did not set follow_symlinks=False, so symlinks inside the build context were treated as if they were regular files relative to the project root. No validation confirmed that the resolved target path remained within the intended build context boundary.
Attack Vector
Exploitation requires the victim to build an attacker-supplied repository or build context, making user interaction necessary. The attacker commits a symlink pointing to a sensitive file path that is likely to exist on a developer or CI build host. After bentoml build completes, the resulting Bento contains the exfiltrated file contents. Because Bentos are commonly pushed to registries, exported, or containerized, the leaked data propagates beyond the original build machine.
target_fs.joinpath(dest_dir).mkdir(parents=True, exist_ok=True)
src_file = ctx_path.joinpath(path)
dst_file = target_fs.joinpath(dest_path)
- shutil.copy(src_file, dst_file)
+ shutil.copy(src_file, dst_file, follow_symlinks=False)
if image is None:
# NOTE: we need to generate both Python and Conda
# first to make sure we can generate the Dockerfile correctly.
Source: GitHub Commit 5fb7cd4 - the patch passes follow_symlinks=False to shutil.copy, preserving symlinks as links rather than dereferencing them during artifact assembly.
Detection Methods for CVE-2026-40610
Indicators of Compromise
- Bento artifacts containing files whose contents match host secrets such as ~/.aws/credentials, ~/.ssh/id_rsa, or .env files.
- Files inside built Bentos with names unrelated to their contents (for example, a loot.txt containing credential material).
- Build logs from bentoml build referencing source paths that resolve outside the project directory.
Detection Strategies
- Inspect Bento artifacts produced before upgrading to version 1.4.39 for unexpected file contents and compare file paths against the original repository tree.
- Scan container images and pushed Bentos with secret-detection tooling to identify embedded credentials, tokens, and private keys.
- Audit source repositories used as BentoML build contexts for symbolic links pointing outside the project root.
Monitoring Recommendations
- Monitor CI/CD pipelines that invoke bentoml build for unexpected file access outside the workspace directory.
- Track pushes to Bento registries and container repositories for artifacts produced from third-party or untrusted repositories.
- Alert on rotation events for secrets known to reside on BentoML build hosts following any build of untrusted code.
How to Mitigate CVE-2026-40610
Immediate Actions Required
- Upgrade BentoML to version 1.4.39 or later on all build hosts and CI runners.
- Rotate any credentials, SSH keys, API tokens, and environment secrets that resided on hosts that built untrusted repositories with vulnerable BentoML versions.
- Review and purge previously built Bento artifacts that may contain leaked host files from registries and storage.
Patch Information
The fix is available in BentoML release v1.4.39 and is implemented in commit 5fb7cd41. Details are published in GitHub Security Advisory GHSA-mcfx-4vc6-qgxv. The patch sets follow_symlinks=False on the internal shutil.copy call so that symlinks are preserved as links rather than dereferenced during Bento assembly.
Workarounds
- Run bentoml build only against trusted repositories and review build contexts for symbolic links before building.
- Execute BentoML builds inside ephemeral, isolated containers or sandboxes that do not contain production secrets, SSH keys, or cloud credentials.
- Use a minimal, unprivileged service account for build hosts so that any files reachable via symlink contain no sensitive material.
# Upgrade BentoML to the patched version
pip install --upgrade "bentoml>=1.4.39"
# Verify the installed version
bentoml --version
# Audit a build context for symbolic links before running bentoml build
find ./build_context -type l -exec ls -la {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
