{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35043", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.428Z", "datePublished": "2026-04-06T17:10:24.466Z", "dateUpdated": "2026-04-07T14:09:07.570Z"}, "containers": {"cna": {"title": "BentoML: command injection in cloud deployment setup script (deployment.py)", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-fgv4-6jr3-jgfw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-fgv4-6jr3-jgfw"}], "affected": [{"vendor": "bentoml", "product": "BentoML", "versions": [{"version": "< 1.4.38", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:10:24.466Z"}, "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier. This vulnerability is fixed in 1.4.38."}], "source": {"advisory": "GHSA-fgv4-6jr3-jgfw", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-fgv4-6jr3-jgfw", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:09:04.043559Z", "id": "CVE-2026-35043", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:09:07.570Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35043", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T14:09:04.043559Z"}}}], "references": [{"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-fgv4-6jr3-jgfw", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:08:57.594Z"}}], "cna": {"title": "BentoML: command injection in cloud deployment setup script (deployment.py)", "source": {"advisory": "GHSA-fgv4-6jr3-jgfw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "bentoml", "product": "BentoML", "versions": [{"status": "affected", "version": "< 1.4.38"}]}], "references": [{"url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-fgv4-6jr3-jgfw", "name": "https://github.com/bentoml/BentoML/security/advisories/GHSA-fgv4-6jr3-jgfw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier. This vulnerability is fixed in 1.4.38."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:10:24.466Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35043", "state": "PUBLISHED", "dateUpdated": "2026-04-07T14:09:07.570Z", "dateReserved": "2026-03-31T21:06:06.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T17:10:24.466Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bentoml:bentoml:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D86CC10-0560-4752-9FA9-485FD844D90B", "versionEndExcluding": "1.4.38", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier. This vulnerability is fixed in 1.4.38."}], "id": "CVE-2026-35043", "lastModified": "2026-04-10T18:54:17.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T18:16:41.823", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-fgv4-6jr3-jgfw"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-fgv4-6jr3-jgfw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.38)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "BentoML", "source": "cna", "vendor": "bentoml"}, "product": "bentoml", "vendor": "bentoml"}], "analysis": {"en": {"generated_at": "2026-04-10T20:32:24.896527+00:00", "value": {"mitigation_remediation": ["Upgrade BentoML to version 1.4.38 or later, which removes the vulnerable f-string usage.", "If immediate upgrade is not possible, avoid using BentoCloud for deployments that rely on the old deployment.py path until a patch is applied.", "Monitor the deployment logs for unexpected setup script modifications and enforce a policy to reject any upload of privileged commands."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the BentoML Python library, specifically versions earlier than 1.4.38. Users deploying models to BentoCloud using the affected deployment.py script are at risk.", "description_and_impact": "BentoML\u2019s cloud deployment path was vulnerable to command injection due to an unsanitized f-string that interpolated system_packages directly into a shell command. The resulting setup script is uploaded to BentoCloud and executed on the build infrastructure, allowing an attacker to run arbitrary commands. This flaw can lead to complete compromise of the cloud deployment environment, affecting confidentiality, integrity, and availability of the deployed service.", "risk_and_exploitability": "With a CVSS score of 7.8, the severity is high. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to submit a deployment to BentoCloud that triggers the vulnerable script; no local privilege escalation or network compromise is required, as the attack vector is the CI/CD tier of BentoCloud. The exploit is straightforward once a deployment is created, with no complex prerequisite conditions cited in the advisory."}}}}, "created": "2026-04-06T21:29:55.683497+00:00", "updated": "2026-04-13T14:27:43.980696+00:00", "vendors": ["bentoml", "bentoml$PRODUCT$bentoml"]}