CVE-2026-44345 Overview
CVE-2026-44345 is a command injection vulnerability in BentoML, a Python library for building online serving systems optimized for AI applications and model inference. The flaw exists in the Dockerfile template src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2, which interpolates the docker.base_image value without escaping, newline filtering, or validation. A crafted bento.yaml containing a multi-line docker.base_image value smuggles attacker-controlled Dockerfile directives into the generated Dockerfile. When a victim runs bentoml containerize, the subsequent docker build executes the injected RUN instructions on the host. The issue is fixed in BentoML 1.4.39 and is tracked under [CWE-78].
Critical Impact
Processing an untrusted bento.yaml and invoking bentoml containerize results in arbitrary command execution on the build host with the privileges of the Docker daemon user.
Affected Products
- BentoML versions prior to 1.4.39
- Build systems and CI/CD pipelines invoking bentoml containerize on untrusted bento bundles
- Developer workstations consuming third-party bento.yaml files
Discovery Timeline
- 2026-05-27 - CVE-2026-44345 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-44345
Vulnerability Analysis
BentoML generates a Dockerfile from a Jinja2 template located at src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2. The template substitutes the docker.base_image field from bento.yaml directly into the FROM instruction. The substitution applies no escaping, newline stripping, or value validation. An attacker who controls the bento.yaml can place newline characters and additional Dockerfile directives within the docker.base_image string. These directives become part of the rendered Dockerfile and execute when docker build runs.
The injected directives run during image build, which means commands execute on the host that invokes bentoml containerize. This bridges a configuration file parse into operating system command execution, matching the OS Command Injection pattern in [CWE-78].
Root Cause
The root cause is missing input validation and output encoding on the docker.base_image field. The template treats the value as a trusted single-line identifier. The parser accepts multi-line YAML strings, allowing line breaks and arbitrary RUN, COPY, or ENV directives to pass through unchanged.
Attack Vector
An attacker publishes or supplies a malicious bento bundle whose bento.yaml sets docker.base_image to a value such as a legitimate image name followed by newline-delimited RUN directives. When a developer, build agent, or CI pipeline executes bentoml containerize against the bundle, the generated Dockerfile contains the injected directives. The docker build invocation executes those directives, granting the attacker code execution in the build context. User interaction is required because a victim must initiate containerization. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-44345
Indicators of Compromise
- bento.yaml files where docker.base_image contains newline characters, whitespace beyond a single image reference, or Dockerfile keywords such as RUN, COPY, or ADD.
- Generated Dockerfiles in BentoML build directories containing directives the developer did not author.
- Unexpected outbound network connections, file writes, or shell invocations occurring during docker build execution triggered by bentoml containerize.
Detection Strategies
- Statically scan bento.yaml files in repositories and registries for multi-line values under the docker.base_image key.
- Diff the rendered Dockerfile against an expected template to detect injected instructions before invoking docker build.
- Monitor build hosts for child processes spawned by docker build that deviate from expected base image setup activity.
Monitoring Recommendations
- Log all bentoml containerize invocations along with the source repository and commit hash of the bento bundle.
- Forward Docker daemon audit events and build logs to a centralized analytics platform for anomaly review.
- Alert on installations of BentoML versions below 1.4.39 across developer workstations and build infrastructure.
How to Mitigate CVE-2026-44345
Immediate Actions Required
- Upgrade BentoML to version 1.4.39 or later on every workstation, build agent, and container image that runs bentoml containerize.
- Audit all bento.yaml files from external or untrusted sources for malformed docker.base_image values before processing.
- Restrict bentoml containerize execution to isolated build environments without access to production secrets or networks.
Patch Information
The maintainers fixed the vulnerability in BentoML 1.4.39. Refer to the BentoML GHSA-78f9-r8mh-4xm2 advisory for the patch reference and release notes.
Workarounds
- Validate docker.base_image against a strict regular expression accepting only canonical image references such as ^[a-zA-Z0-9._/:@-]+$ before invoking containerization.
- Run bentoml containerize inside an ephemeral, network-restricted sandbox so injected directives cannot reach sensitive systems.
- Generate the Dockerfile, inspect it manually or with an automated linter, and only then execute docker build against the verified output.
# Configuration example: upgrade BentoML and validate base_image values
pip install --upgrade 'bentoml>=1.4.39'
# Pre-flight check before containerization
python -c "import yaml,re,sys; b=yaml.safe_load(open('bento.yaml')); img=b.get('docker',{}).get('base_image',''); sys.exit(0 if re.fullmatch(r'[A-Za-z0-9._/:@-]+', img) else 1)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
