CVE-2026-35044
Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bentomlPyPI | < 1.4.38 | 1.4.38 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-v959-cwq9-7hr6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35044ghsaADVISORY
News mentions
0No linked articles in our index yet.