CVE-2026-35043

HighPublic PoC

Published: 06 April 2026

Published

06 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35043 is a high-severity OS Command Injection (CWE-78) vulnerability in Bentoml Bentoml. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation by upgrading BentoML to version 1.4.38 or later directly eliminates the command injection vulnerability in the cloud deployment path.

SI-10 Information Input Validation good match

prevent

Validating and sanitizing the user-specified system_packages input before interpolating it into shell commands prevents command injection exploitation during BentoCloud deployments.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability monitoring and scanning identifies the presence of CVE-2026-35043 in BentoML components, enabling proactive remediation before exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection (CWE-78) in cloud deployment script generation directly enables arbitrary Unix shell command execution on remote CI/CD infrastructure via local client exploitation with user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into…

a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier. This vulnerability is fixed in 1.4.38.

Deeper analysisAI

CVE-2026-35043 is a command injection vulnerability (CWE-78) in BentoML, an open-source Python library for building online serving systems optimized for AI applications and model inference. The issue affects versions prior to 1.4.38 and resides in the cloud deployment path at src/bentoml/_internal/cloud/deployment.py. Specifically, line 1648 interpolates the user-specified system_packages directly into a shell command using an f-string without proper quoting or sanitization. This flaw was not addressed in the prior fix for CVE-2026-33744. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-06.

An attacker can exploit this vulnerability by supplying a malicious system_packages value during a BentoCloud deployment. The tainted input generates a setup.sh script that is uploaded and executed on BentoCloud's cloud build infrastructure, enabling remote code execution on the CI/CD tier. Exploitation requires local access to run the BentoML deployment command (aligning with the local attack vector), no privileges, low complexity, and user interaction to initiate the deployment, but results in high confidentiality, integrity, and availability impacts on the remote infrastructure.

The BentoML security advisory at https://github.com/bentoml/BentoML/security/advisories/GHSA-fgv4-6jr3-jgfw confirms the vulnerability and states that it is fixed in version 1.4.38. Security practitioners should advise users to upgrade to BentoML 1.4.38 or later to mitigate the risk.

This vulnerability is particularly relevant for AI/ML workflows, as BentoML is designed for serving AI models, and exploitation could compromise cloud CI/CD pipelines handling model inference deployments. No public information on real-world exploitation is available.