CVE-2026-35044
Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bentomlPyPI | < 1.4.38 | 1.4.38 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-v959-cwq9-7hr6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35044ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/bentoml/PYSEC-2026-159.yamlghsaWEB
News mentions
0No linked articles in our index yet.