CVE-2026-35044

HighPublic PoC

Published: 06 April 2026

Published

06 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 4.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35044 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Bentoml Bentoml. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Template Injection (T1221); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Template Injection (T1221) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation ensures installation of BentoML 1.4.38 or later, which fixes the unsandboxed Jinja2 rendering vulnerability preventing arbitrary host code execution.

SI-10 Information Input Validation good match

prevent

Information input validation scans and sanitizes bento archives and dockerfile_template files to reject malicious Jinja2 code blocks before rendering.

SR-11 Component Authenticity good match

prevent

Component authenticity verification confirms bento archives from untrusted sources are genuine and untampered prior to import and containerize execution.

MITRE ATT&CK Enterprise TechniquesAI

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Vulnerability is a Jinja2 template injection (T1221) allowing arbitrary Python code execution (T1059.006) when a user processes a malicious bento archive via containerize command (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files.…

When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.

Deeper analysisAI

CVE-2026-35044 affects BentoML, a Python library for building online serving systems optimized for AI applications and model inference. In versions prior to 1.4.38, the generate_containerfile() function in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. This allows attacker-controlled Jinja2 template code to execute arbitrary Python code directly on the host machine. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-1336 (Incorrect Handling of Code Blocks in Templating Engine).

An attacker can exploit this vulnerability by crafting a malicious bento archive containing a tainted dockerfile_template. A victim who imports the archive and executes the 'bentoml containerize' command triggers the rendering process, leading to arbitrary Python code execution on the host system and bypassing all container isolation. Exploitation requires user interaction, such as importing and processing the archive, but needs no privileges and can occur over the network with low complexity, potentially granting high-impact confidentiality, integrity, and availability compromises.

The BentoML security advisory at https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6 confirms the issue and states that it is fixed in version 1.4.38. Security practitioners should upgrade to BentoML 1.4.38 or later and validate bento archives from untrusted sources before processing.

Details

CWE(s): CWE-1336

Affected Products

bentoml

≤ 1.4.38

AI Security AnalysisAI

AI Category: Machine Learning Libraries
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: ai

CVEs Like This One

CVE-2026-27905Same product: Bentoml Bentoml

CVE-2026-33744Same product: Bentoml Bentoml

CVE-2026-24123Same product: Bentoml Bentoml

CVE-2026-35043Same product: Bentoml Bentoml

CVE-2025-54381Same product: Bentoml Bentoml

CVE-2026-25731Shared CWE-1336

CVE-2026-40320Shared CWE-1336

CVE-2026-39980Shared CWE-1336

CVE-2025-27516Shared CWE-1336

CVE-2025-12107Shared CWE-1336

References

https://github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6
Exploit, Vendor Advisory · security-advisories@github.com