How is CVE-2026-44345 exploited?

Network reachability (required): The malicious bento.yaml can be delivered to the victim over the network, so the attacker must be able to reach the victim through a network channel such as a shared repository, package feed, or direct file transfer. Authentication (not-required): No credentials or account privileges are needed; an unauthenticated attacker can craft and distribute the malicious bento.yaml without any prior access to the target system. Victim interaction (required): The victim must load and process the attacker-supplied bento.yaml by running bentoml containerize, making this a social-engineering vector where the attacker must persuade the victim to use the malicious configuration file. Attack complexity (info): Exploitation is reliable and condition-free once the victim processes the file; no race conditions, memory layout knowledge, or special environmental factors are required.

What is the impact of CVE-2026-44345?

The injected RUN directives execute arbitrary shell commands on the victim host under the permissions of the user running docker build, allowing full code execution in that context. An attacker reads files accessible to the build process, including secrets, credentials, or API keys mounted or available in the build environment. An attacker modifies or deletes files on the host filesystem within the scope of the build user's permissions. The build process can be weaponized to exfiltrate data, install persistent backdoors, or pivot to other services reachable from the build host.

Back to search

HIGHCVE-2026-44345Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-44345: BentoML: Dockerfile command injection via docker.base_image

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2 interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host. This vulnerability is fixed in 1.4.39.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a Dockerfile command injection vulnerability in BentoML, a Python library for building AI model serving systems. The flaw is reachable over the network and requires no authentication, but does require a victim to process a malicious bento.yaml file containing a crafted multi-line docker.base_image value. Successful exploitation causes BentoML to generate a Dockerfile with injected directives that execute arbitrary commands on the victim host when bentoml containerize runs docker build. A patched-image rebuild at version 1.4.39 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-44345 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle BentoML versions below 1.4.39.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 HIGH and is capable of weighting it against each customer environment's compliance policy to prioritize severity routing; findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version was published at the time of this record, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream fix at 1.4.39 is confirmed and published. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The malicious bento.yaml can be delivered to the victim over the network, so the attacker must be able to reach the victim through a network channel such as a shared repository, package feed, or direct file transfer.
AuthenticationNot required
No credentials or account privileges are needed; an unauthenticated attacker can craft and distribute the malicious bento.yaml without any prior access to the target system.
Victim interactionRequired
The victim must load and process the attacker-supplied bento.yaml by running bentoml containerize, making this a social-engineering vector where the attacker must persuade the victim to use the malicious configuration file.
Attack complexityDetail
Exploitation is reliable and condition-free once the victim processes the file; no race conditions, memory layout knowledge, or special environmental factors are required.

Blast Radius

The injected RUN directives execute arbitrary shell commands on the victim host under the permissions of the user running docker build, allowing full code execution in that context.
An attacker reads files accessible to the build process, including secrets, credentials, or API keys mounted or available in the build environment.
An attacker modifies or deletes files on the host filesystem within the scope of the build user's permissions.
The build process can be weaponized to exfiltrate data, install persistent backdoors, or pivot to other services reachable from the build host.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against all customer images carrying BentoML below 1.4.39 within minutes of advisory ingestion, covering both pulled and custom-built images. Because no upstream fix version was confirmed at the time of publication, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available as soon as version 1.4.39 is confirmed upstream. For customers with auto-remediation enabled, that rebuild will be followed automatically by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls available through HarborGuard policy include flagging any image containing a pre-fix BentoML version as non-compliant, enforcing network-policy isolation on hosts running bentoml containerize, and blocking promotion of affected images to production registries until the patched rebuild is confirmed clean.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

bentoml / BentoML
< 1.4.39

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

https://github.com/bentoml/BentoML/security/advisories/GHSA-78f9-r8mh-4xm2