CVE-2026-33744

HIGHPre-NVD 7.87.8
EchelonGraph scoreMEDIUM confidence

This high-severity CVE scores 7.8 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 99% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
7.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 7.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

Summary

The docker.system_packages field in bentofile.yaml accepts arbitrary strings that are interpolated directly into Dockerfile RUN commands without sanitization. Since system_packages is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious bentofile.yaml achieves arbitrary command execution during bentoml containerize / docker build.

Affected Component

  • src/_bentoml_sdk/images.py:85-89.format(packages=" ".join(packages)) into shell command
  • src/bentoml/_internal/container/frontend/dockerfile/templates/base_debian.j2:13{{ __options__system_packages | join(' ') }}
  • src/bentoml/_internal/bento/build_config.py:174 — No validation on system_packages
  • All distro install commands in src/bentoml/_internal/container/frontend/dockerfile/__init__.py

Affected Versions

All versions supporting docker.system_packages in bentofile.yaml, confirmed on 1.4.36.

Steps to Reproduce

  • Create a project directory with:

service.py:

import bentoml

@bentoml.service class MyService: @bentoml.api def predict(self) -> str: return "hello"

bentofile.yaml:

service: "service:MyService"
docker:
  system_packages:
  • "curl && id > /tmp/bentoml-pwned #"
  • Run:
  • bentoml build
    • Examine the generated Dockerfile at ~/bentoml/bentos/my_service//env/docker/Dockerfile. Line 41 will contain:
    RUN apt-get install -q -y -o Dpkg::Options::=--force-confdef curl && id > /tmp/bentoml-pwned #
    • Running bentoml containerize my_service: will execute id > /tmp/bentoml-pwned as root during the Docker build.

    Root Cause

    The system_packages field values are treated as package names (data) by the user but are string-formatted directly into shell commands in the Dockerfile:

    # images.py:85-89
    self.commands.append(
        CONTAINER_METADATA[self.distro]["install_command"].format(
            packages=" ".join(packages)  # No escaping
        )
    )

    Where install_command is "apt-get install -q -y -o Dpkg::Options::=--force-confdef {packages}".

    A bash_quote filter (wrapping shlex.quote) exists in the codebase and is registered in both Jinja2 environments, but it is only applied to environment variable values, never to system_packages.

    Impact

    • Malicious repositories: An attacker publishes an ML project with a crafted bentofile.yaml. Anyone who clones and builds it gets arbitrary code execution during docker build.
    • CI/CD compromise: Automated pipelines running bentoml containerize on PRs that modify bentofile.yaml are vulnerable.
    • BentoCloud: If BentoCloud builds images from user-supplied bentofile.yaml, this could achieve RCE on cloud infrastructure.
    • Supply chain: Shared bentos or model repos in the BentoML ecosystem can contain malicious configs.

    Suggested Fix

    Option 1: Input validation (recommended)

    Add a regex validator to system_packages in build_config.py:

    import re

    VALID_PACKAGE_NAME = re.compile(r'^[a-zA-Z0-9][a-zA-Z0-9.+\-_:]*$')

    def _validate_system_packages(instance, attribute, value): if value is None: return for pkg in value: if not VALID_PACKAGE_NAME.match(pkg): raise BentoMLException( f"Invalid system package name: {pkg!r}. " "Package names may only contain alphanumeric characters, " "dots, plus signs, hyphens, underscores, and colons." )

    system_packages: t.Optional[t.List[str]] = attr.field( default=None, validator=_validate_system_packages )

    Option 2: Output escaping

    Apply shlex.quote() to each package name before interpolation in images.py:system_packages() and apply the bash_quote Jinja2 filter in base_debian.j2.

    CVSS v3
    7.8
    EG Score
    7.8(medium)
    EPSS
    17.0%
    KEV
    Not listed

    Published

    March 26, 2026

    Last Modified

    March 26, 2026

    Vendor Advisories for CVE-2026-33744(1)

    These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

    Affected Packages

    (1 across 1 ecosystem)
    PyPI(1)
    PackageVulnerable rangeFixed inDependents
    bentoml0.0.1 ... 1.4.9 (216 versions)1.4.37

    Data Freshness Timeline

    (refreshed 9× in last 7d / 42× in last 30d)

    Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

    1. 2026-07-12 05:46 UTCEPSS rescore
    2. 2026-07-11 08:27 UTCEPSS rescore
    3. 2026-07-09 19:10 UTCEPSS rescore
    4. 2026-07-08 15:15 UTCEPSS rescore
    5. 2026-07-07 13:46 UTCEPSS rescore
    6. 2026-07-06 16:27 UTCEPSS rescore
    7. 2026-07-06 16:27 UTCEPSS rescore
    8. 2026-07-06 02:23 UTCEPSS rescore
    9. 2026-07-06 02:23 UTCEPSS rescore
    10. 2026-07-05 02:30 UTCEPSS rescore
    11. 2026-07-04 06:31 UTCEPSS rescore
    12. 2026-07-01 15:06 UTCEPSS rescore
    13. 2026-06-30 23:22 UTCEPSS rescore
    14. 2026-06-29 14:06 UTCEPSS rescore
    15. 2026-06-29 14:06 UTCEPSS rescore
    16. 2026-06-29 03:32 UTCOSV refresh
    17. 2026-06-28 14:07 UTCEPSS rescore
    18. 2026-06-28 14:07 UTCEPSS rescore
    19. 2026-06-28 04:56 UTCEPSS rescore
    20. 2026-06-28 04:56 UTCEPSS rescore
    21. 2026-06-27 03:08 UTCEPSS rescore
    22. 2026-06-25 13:49 UTCEPSS rescore
    23. 2026-06-25 13:49 UTCEPSS rescore
    24. 2026-06-24 14:05 UTCEPSS rescore
    25. 2026-06-23 21:33 UTCEPSS rescore
    Show 26 more
    1. 2026-06-23 21:33 UTCEPSS rescore
    2. 2026-06-22 14:25 UTCEPSS rescore
    3. 2026-06-22 14:25 UTCEPSS rescore
    4. 2026-06-21 14:56 UTCEPSS rescore
    5. 2026-06-21 14:56 UTCEPSS rescore
    6. 2026-06-21 01:59 UTCEPSS rescore
    7. 2026-06-19 19:25 UTCEPSS rescore
    8. 2026-06-19 19:25 UTCEPSS rescore
    9. 2026-06-18 17:52 UTCEPSS rescore
    10. 2026-06-18 17:52 UTCEPSS rescore
    11. 2026-06-17 17:53 UTCEPSS rescore
    12. 2026-06-16 17:52 UTCEPSS rescore
    13. 2026-06-15 17:49 UTCEPSS rescore
    14. 2026-06-14 23:18 UTCEPSS rescore
    15. 2026-06-13 23:00 UTCEPSS rescore
    16. 2026-06-12 23:12 UTCEPSS rescore
    17. 2026-06-12 23:12 UTCEPSS rescore
    18. 2026-06-11 23:22 UTCEG score recompute
    19. 2026-06-11 14:00 UTCEPSS rescore
    20. 2026-06-10 22:18 UTCEPSS rescore
    21. 2026-06-10 14:48 UTCEG score recompute
    22. 2026-06-10 13:22 UTCEPSS rescore
    23. 2026-06-10 02:32 UTCEG score recompute
    24. 2026-06-09 15:34 UTCEG score recompute
    25. 2026-06-08 20:42 UTCEG score recompute
    26. 2026-06-08 20:41 UTCOSV refresh

    Frequently asked(5)

    What is CVE-2026-33744?
    CVE-2026-33744 is a high vulnerability published on March 26, 2026. BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml Summary The docker.systempackages field in bentofile.yaml accepts arbitrary strings that are interpolated directly into Dockerfile RUN commands without sanitization. Since systempackages is semantically a list of OS…
    When was CVE-2026-33744 disclosed?
    CVE-2026-33744 was first published in the National Vulnerability Database on March 26, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
    Is CVE-2026-33744 actively exploited?
    CVE-2026-33744 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 17.0% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
    What is the CVSS score of CVE-2026-33744?
    CVE-2026-33744 has a CVSS v4.0 base score of 7.8 (CNA self-assessment; NVD's own analysis pending).
    How do I remediate CVE-2026-33744?
    Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-33744, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

    Dependency Blast Radius

    See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-33744

    Explore →

    Is Your Infrastructure Affected by CVE-2026-33744?

    EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.