CVE-2026-35044

Name of the Vulnerable Software and Affected Versions BentoML versions prior to 1.4.38

Description BentoML is a Python library used for building and serving AI applications. A flaw exists in the Dockerfile generation function generate containerfile() located in src/bentoml/ internal/container/generate.py. This function utilizes an unsandboxed jinja2.Environment with the jinja2.ext.do extension to process user-provided dockerfile template files. When a user imports a malicious bento archive and executes bentoml containerize, attacker-controlled Jinja2 template code can execute arbitrary Python code directly on the host machine, effectively bypassing container isolation. The vulnerability stems from the use of jinja2.ext.do, which allows the execution of Python expressions within Jinja2 templates. An attacker can craft a malicious dockerfile template containing code that, when rendered, executes arbitrary commands on the host system. This can lead to full access to the host filesystem, the ability to install backdoors, and potential supply chain compromise.

Recommendations Update to BentoML version 1.4.38 or later. If updating is not immediately possible, replace the unsandboxed jinja2.Environment with jinja2.sandbox.SandboxedEnvironment and remove the jinja2.ext.do and jinja2.ext.debug extensions from the Jinja2 environment configuration in src/bentoml/ internal/container/generate.py. Also, apply the same fix to the second unsandboxed Environment in build config.py:499-504.