HarborGuard / CVE
Back to search
HIGHCVE-2026-44346Published Modified CNA GitHub_M

CVE-2026-44346: BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A command injection vulnerability in BentoML (Python library for AI model serving) allows an attacker to embed malicious shell commands inside a crafted bentofile.yaml file. Because BentoML writes environment variable names from that file directly into generated Dockerfiles without sanitizing newline characters, a poisoned bentofile.yaml produces unquoted RUN directives that execute arbitrary commands on the host machine when the victim runs bentoml containerize. Successful exploitation gives the attacker code execution on the build host, with full read, write, and availability impact. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix version is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-44346 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle BentoML as a dependency. Any image found carrying an affected version of BentoML is flagged immediately in the customer's scan results and pipeline gates.

Available
Triage

Triage is available using the CVSS v3.1 score of 8.8 (HIGH), with per-environment compliance policy weighting applied so that teams running AI workloads or build-pipeline images get appropriately elevated priority routing. Findings are surfaced to the configured inbox or ticketing integration inside each customer organization based on their policy rules.

Available
Patch

Because no fix version has been published upstream for this CVE yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream fix is released. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered without manual intervention as soon as a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must deliver a malicious bentofile.yaml to the victim over the network, making network reachability a prerequisite for the social-engineering step that triggers the build.

  • AuthenticationNot required

    No account or credentials are needed; the attacker only needs to get the victim to import and containerize a crafted bento artifact.

  • Victim interactionRequired

    The victim must explicitly run bentoml containerize on the imported malicious bento, meaning the attacker must persuade them to do so through phishing, a supply-chain substitution, or a similarly deceptive method.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the victim runs the containerize command; no race conditions or special memory layout are involved.

Blast Radius

  • The attacker executes arbitrary shell commands on the host machine during the docker build process.
  • Sensitive files, credentials, environment variables, and secrets accessible on the build host are exposed to the attacker.
  • The attacker can write or modify files on the build host, including injecting backdoors into the resulting container image.
  • The build process itself can be crashed or corrupted, disrupting CI/CD pipelines and image delivery workflows.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version for CVE-2026-44346 exists at this time, HarborGuard continuously re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment BentoML 1.4.39 or a later fix version is published. In the interim, compensating controls are worth considering: apply network policy isolation to restrict which sources can supply bentofile.yaml or bento artifacts to build pipelines; use egress filtering on build hosts to limit the blast radius of any injected commands; and gate bentoml containerize invocations behind a review step that inspects the envs[*].name fields in incoming bentofiles for embedded newline characters. For customers with auto-remediation enabled, once the upstream fix ships, HarborGuard will produce a rebuilt image, run regression tests, and open a PR against affected workloads without manual intervention.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • bentoml / BentoML
    < 1.4.39
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References