CVE-2026-24123

Name of the Vulnerable Software and Affected Versions BentoML versions prior to 1.4.34

Description BentoML contains a path traversal flaw in the bentofile.yaml configuration. An attacker can craft a malicious bentofile.yaml that, when processed by BentoML, allows the exfiltration of arbitrary files from the filesystem into the bento archive. This can lead to supply chain attacks where sensitive information like SSH keys, credentials, and environment variables are silently included in bentos and potentially exposed when pushed to registries or deployed. The vulnerability stems from insufficient validation of user-provided file paths in multiple fields: description, docker.setup script, docker.dockerfile template, and conda.environment yml. The vulnerable function resolve user filepath in src/bentoml/ internal/utils/filesystem.py does not check for path containment, and the code in src/bentoml/ internal/bento/bento.py copies files without proper validation. Multiple path formats are supported, including absolute paths, tilde expansion, environment variable expansion, and relative traversal, simplifying exploitation. The /proc/self/environ vector is particularly dangerous in CI/CD pipelines where secrets are commonly passed as environment variables.

Recommendations Update to BentoML version 1.4.34 or later.