CVE-2026-44346 Overview
CVE-2026-44346 is a command injection vulnerability in BentoML, a Python library for building online serving systems for AI applications and model inference. The flaw exists in versions prior to 1.4.39. A malicious bentofile.yaml containing a newline-injected value in the envs[*].name field produces unquoted RUN directives in the BentoML-generated Dockerfile. When a victim runs bentoml containerize on the imported bento, those injected RUN directives execute on the host during docker build. The vulnerability is fixed in BentoML 1.4.39.
Critical Impact
Attackers can achieve arbitrary command execution on a victim's build host by tricking them into containerizing a malicious bento, leading to full host compromise during the Docker build process.
Affected Products
- BentoML versions prior to 1.4.39
- Build hosts running bentoml containerize on attacker-supplied bentos
- CI/CD pipelines that automate BentoML containerization workflows
Discovery Timeline
- 2026-05-27 - CVE-2026-44346 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-44346
Vulnerability Analysis
The vulnerability is classified under [CWE-78] Improper Neutralization of Special Elements used in an OS Command. BentoML generates Dockerfiles from user-supplied bentofile.yaml configurations. The envs[*].name field accepts environment variable names that are interpolated directly into Dockerfile RUN directives without proper quoting or sanitization.
When an attacker injects newline characters into a name value, the generated Dockerfile contains additional unquoted RUN lines under the attacker's control. These injected directives execute during docker build, granting code execution in the build environment.
Exploitation requires user interaction. The victim must import a malicious bento and execute bentoml containerize against it. This pattern frequently arises in machine learning workflows that share bentos across teams or pull them from registries.
Root Cause
The root cause is insufficient input validation and missing output encoding when serializing bentofile.yaml environment variable definitions into Dockerfile directives. BentoML did not reject or escape newline characters in envs[*].name, allowing the YAML structure to break out of its intended Dockerfile context.
Attack Vector
An attacker crafts a bentofile.yaml with a newline-injected value in envs[*].name. The attacker distributes the malicious bento through a model registry, repository, or direct file transfer. When the victim runs bentoml containerize against the bento, BentoML emits a Dockerfile containing the attacker's injected RUN commands. The subsequent docker build executes the injected commands on the host with the privileges of the user running the build.
The vulnerability description and advisory do not include verified proof-of-concept code. See the BentoML GitHub Security Advisory GHSA-w2pm-x38x-jp44 for technical details.
Detection Methods for CVE-2026-44346
Indicators of Compromise
- Generated Dockerfiles containing unexpected RUN directives not declared in the source bentofile.yaml
- bentofile.yaml files with multi-line or newline-containing values in envs[*].name fields
- Unexpected child processes spawned by docker build during a bentoml containerize operation
- Outbound network connections originating from container build hosts during BentoML builds
Detection Strategies
- Statically scan bentofile.yaml files for control characters, newlines, or shell metacharacters in envs entries before importing third-party bentos
- Diff BentoML-generated Dockerfiles against expected templates to identify injected RUN directives
- Monitor BentoML versions deployed across developer workstations and CI runners and flag any below 1.4.39
Monitoring Recommendations
- Log all invocations of bentoml containerize in CI/CD pipelines with the source bento identifier and SHA
- Alert on process executions and outbound connections from Docker build contexts that deviate from baseline build behavior
- Track introduction of new or unsigned bentos into internal model registries and require review before containerization
How to Mitigate CVE-2026-44346
Immediate Actions Required
- Upgrade BentoML to version 1.4.39 or later on all development workstations, CI/CD runners, and build servers
- Audit existing bentofile.yaml files and Dockerfile artifacts for injected RUN directives
- Restrict execution of bentoml containerize to bentos that originate from trusted, internally reviewed sources
Patch Information
BentoML version 1.4.39 fixes the vulnerability by properly handling and validating values supplied in envs[*].name. Refer to the BentoML GitHub Security Advisory GHSA-w2pm-x38x-jp44 for the official patch reference and release notes.
Workarounds
- Validate every bentofile.yaml before import and reject values containing newline or shell metacharacters in envs[*].name
- Run bentoml containerize inside isolated, ephemeral build environments with no access to production secrets or networks
- Require signed bentos and enforce code review for any third-party or externally supplied bento before containerization
# Upgrade BentoML to the patched release
pip install --upgrade 'bentoml>=1.4.39'
# Verify the installed version
bentoml --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
