CVE-2026-24123
Published: 26 January 2026
Summary
CVE-2026-24123 is a high-severity Path Traversal (CWE-22) vulnerability in Bentoml Bentoml. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-24123 is a path traversal vulnerability (CWE-22) affecting BentoML, a Python library for building online serving systems optimized for AI applications and model inference. In versions prior to 1.4.34, the `bentofile.yaml` configuration file permits path traversal attacks via multiple file path fields, including `description`, `docker.setup_script`, `docker.dockerfile_template`, and `conda.environment_yml`. This flaw allows malicious inputs to read arbitrary files during the bento build process.
A remote attacker with no privileges can exploit this by crafting a malicious `bentofile.yaml` and tricking a victim into building a bento with it, typically requiring user interaction such as executing the build command. Successful exploitation exfiltrates arbitrary files from the victim's filesystem—such as SSH keys, credentials, or environment variables—directly into the bento archive. These sensitive files are then silently exposed when the bento is pushed to container registries or deployed, enabling supply chain attacks. The vulnerability carries a CVSS v3.1 score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N), reflecting high confidentiality impact with scope change.
BentoML version 1.4.34 addresses the issue with a targeted patch. Mitigation requires upgrading to this version or later. Official details are provided in the GitHub security advisory (GHSA-6r62-w2q3-48hf), release notes for v1.4.34, and the fixing commit (84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4723
Vulnerability details
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can…
more
craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. Version 1.4.34 contains a patch for the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, bentoml
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary local file read (T1005) during bento build; resulting archive inclusion directly facilitates supply chain compromise (T1195) via poisoned artifacts in registries/deployments.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation and sanitization of file path fields in bentofile.yaml to reject traversal sequences before arbitrary reads occur.
Requires prompt application of the vendor patch in v1.4.34 that eliminates the path traversal logic in the bento build process.
Enforces access control policies so the BentoML build process cannot read arbitrary sensitive files even when malicious paths are supplied.