CVE-2026-24123
Published: 26 January 2026
Summary
CVE-2026-24123 is a high-severity Path Traversal (CWE-22) vulnerability in Bentoml Bentoml. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary local file read (T1005) during bento build; resulting archive inclusion directly facilitates supply chain compromise (T1195) via poisoned artifacts in registries/deployments.
NVD Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can…
more
craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. Version 1.4.34 contains a patch for the issue.
Deeper analysisAI
CVE-2026-24123 is a path traversal vulnerability (CWE-22) affecting BentoML, a Python library for building online serving systems optimized for AI applications and model inference. In versions prior to 1.4.34, the `bentofile.yaml` configuration file permits path traversal attacks via multiple file path fields, including `description`, `docker.setup_script`, `docker.dockerfile_template`, and `conda.environment_yml`. This flaw allows malicious inputs to read arbitrary files during the bento build process.
A remote attacker with no privileges can exploit this by crafting a malicious `bentofile.yaml` and tricking a victim into building a bento with it, typically requiring user interaction such as executing the build command. Successful exploitation exfiltrates arbitrary files from the victim's filesystem—such as SSH keys, credentials, or environment variables—directly into the bento archive. These sensitive files are then silently exposed when the bento is pushed to container registries or deployed, enabling supply chain attacks. The vulnerability carries a CVSS v3.1 score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N), reflecting high confidentiality impact with scope change.
BentoML version 1.4.34 addresses the issue with a targeted patch. Mitigation requires upgrading to this version or later. Official details are provided in the GitHub security advisory (GHSA-6r62-w2q3-48hf), release notes for v1.4.34, and the fixing commit (84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4).
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai