{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33744", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.562Z", "datePublished": "2026-03-27T00:45:08.108Z", "dateUpdated": "2026-03-27T20:01:40.600Z"}, "containers": {"cna": {"title": "BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf"}], "affected": [{"vendor": "bentoml", "product": "BentoML", "versions": [{"version": "< 1.4.37", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:45:08.108Z"}, "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue."}], "source": {"advisory": "GHSA-jfjg-vc52-wqvf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:01:10.256531Z", "id": "CVE-2026-33744", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:01:40.600Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33744", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T20:01:10.256531Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:01:33.499Z"}}], "cna": {"title": "BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml", "source": {"advisory": "GHSA-jfjg-vc52-wqvf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "bentoml", "product": "BentoML", "versions": [{"status": "affected", "version": "< 1.4.37"}]}], "references": [{"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf", "name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:45:08.108Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33744", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:01:40.600Z", "dateReserved": "2026-03-23T17:34:57.562Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T00:45:08.108Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*", "matchCriteriaId": "C913A594-9EEC-40AC-A218-6FEA1F57E614", "versionEndExcluding": "1.4.37", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious `bentofile.yaml` achieves arbitrary command execution during `bentoml containerize` / `docker build`. Version 1.4.37 fixes the issue."}, {"lang": "es", "value": "BentoML es una biblioteca de Python para construir sistemas de servicio en l\u00ednea optimizados para aplicaciones de IA e inferencia de modelos. Antes de la versi\u00f3n 1.4.37, el campo 'docker.system_packages' en 'bentofile.yaml' aceptaba cadenas arbitrarias que se interpolaban directamente en los comandos 'RUN' de Dockerfile sin sanitizaci\u00f3n. Dado que 'system_packages' es sem\u00e1nticamente una lista de nombres de paquetes del sistema operativo (datos), los usuarios no esperan que los valores se interpreten como comandos de shell. Un 'bentofile.yaml' malicioso logra la ejecuci\u00f3n arbitraria de comandos durante 'bentoml containerize' / 'docker build'. La versi\u00f3n 1.4.37 corrige el problema."}], "id": "CVE-2026-33744", "lastModified": "2026-04-01T15:00:48.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:21.007", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.37)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "BentoML", "source": "cna", "vendor": "bentoml"}, "product": "bentoml", "vendor": "bentoml"}], "analysis": {"en": {"generated_at": "2026-04-02T04:11:28.980747+00:00", "value": {"mitigation_remediation": ["Upgrade to BentoML 1.4.37 or later to eliminate the vulnerability."], "summary": {"action": "Apply Patch", "impact": "Arbitrary Command Execution during container build"}, "threat_synthesis": {"affected_systems": "Any deployment using BentoML library versions earlier than 1.4.37 that employs the docker.system_packages field to specify operating system packages. Attackers who control the bentofile.yaml or have influence over the build process can exploit the vulnerability.", "description_and_impact": "BentoML, a Python library for AI model serving, contained a flaw in versions prior to 1.4.37. The field name \"docker.system_packages\" in a bentofile.yaml file was treated as raw text and inserted directly into Dockerfile RUN commands. This allowed any string supplied in that list to be executed as a shell command, providing attackers with the ability to run arbitrary code while the container image is built.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.8, indicating high severity, but an EPSS score of less than 1%, suggesting a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog, and the attack vector is inferred to be local to the build environment, requiring control over the bentofile.yaml used during containerization. Because the flaw allows execution of arbitrary shell commands on the builder host, it can lead to full compromise of the build infrastructure if not mitigated."}}}}, "created": "2026-03-27T08:31:05.585341+00:00", "updated": "2026-04-02T07:55:49.110280+00:00", "vendors": ["bentoml", "bentoml$PRODUCT$bentoml"]}