Cyber Resilience

CVE-2026-33744

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33744 is a high-severity Code Injection (CWE-94) vulnerability in Bentoml Bentoml. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33744 is a command injection vulnerability (CWE-94) in BentoML, a Python library for building online serving systems optimized for AI applications and model inference. Versions prior to 1.4.37 mishandle the `docker.system_packages` field in `bentofile.yaml` configuration files. This field, intended as a list of OS package names, accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization, allowing unexpected shell command execution. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Exploitation requires a local attacker to supply a malicious `bentofile.yaml` file, tricking a user into executing `bentoml containerize` or `docker build` on the host system. No privileges are needed, but local access and user interaction are required to trigger the build process. Successful attacks achieve arbitrary command execution during the Docker build, with high impacts on confidentiality, integrity, and availability of the build environment.

The official BentoML GitHub security advisory (GHSA-jfjg-vc52-wqvf) documents the issue, stating that version 1.4.37 resolves it by addressing the lack of sanitization in the `docker.system_packages` field. Security practitioners should advise upgrading to BentoML 1.4.37 or later for affected deployments.

EU & UK References

Vulnerability details

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages`…

more

is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, bentoml

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Command injection into Dockerfile RUN via unsanitized bentofile.yaml enables Unix shell execution (T1059.004) when a user is tricked into processing the malicious config file with bentoml containerize or docker build (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44346Same product: Bentoml Bentoml
CVE-2026-27905Same product: Bentoml Bentoml
CVE-2026-35043Same product: Bentoml Bentoml
CVE-2026-35044Same product: Bentoml Bentoml
CVE-2026-24123Same product: Bentoml Bentoml
CVE-2026-44345Same product: Bentoml Bentoml
CVE-2025-54381Same product: Bentoml Bentoml
CVE-2025-61982Shared CWE-94
CVE-2026-3476Shared CWE-94
CVE-2026-42214Shared CWE-94

Affected Assets

bentoml
bentoml
≤ 1.4.37

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of identified flaws, such as patching BentoML to version 1.4.37 or later, which directly fixes the lack of sanitization in the docker.system_packages field.

prevent

Mandates input validation at application interfaces like bentoml containerize, rejecting arbitrary strings in docker.system_packages that could enable command injection during Docker builds.

prevent

Enforces restrictions on inputs to configuration files like bentofile.yaml, limiting docker.system_packages to valid OS package names and preventing shell command interpolation.

References