CVE-2026-33744

Name of the Vulnerable Software and Affected Versions BentoML versions prior to 1.4.37

Description BentoML is a Python library used for building online serving systems for AI applications and model inference. A flaw exists where the docker.system packages field within the bentofile.yaml file does not properly sanitize arbitrary strings before they are interpolated into Dockerfile RUN commands. Because this field is intended to hold a list of OS package names (data), it is not expected to be interpreted as shell commands. This allows a malicious bentofile.yaml file to achieve arbitrary command execution during the bentoml containerize or docker build process. The issue resides in several components including src/ bentoml sdk/images.py, src/bentoml/ internal/container/frontend/dockerfile/templates/base debian.j2, src/bentoml/ internal/bento/build config.py, and all distro install commands in src/bentoml/ internal/container/frontend/dockerfile/ init .py. The impact of this issue includes potential compromise of malicious repositories, CI/CD pipelines, BentoCloud infrastructure, and the BentoML ecosystem's supply chain. The system packages field values are treated as data by the user but are directly formatted into shell commands in the Dockerfile without proper escaping.

Recommendations Versions prior to 1.4.37: Implement input validation for the system packages field in build config.py using a regular expression to ensure package names only contain alphanumeric characters, dots, plus signs, hyphens, underscores, and colons. Versions prior to 1.4.37: Apply shlex.quote() to each package name before interpolation in images.py:system packages() and apply the bash quote Jinja2 filter in base debian.j2.