BentoML RCE in Containerize (CVE-2026-35044)

Overview

A high-severity vulnerability (CVE-2026-35044) exists in the BentoML open-source framework. The flaw is in the library’s Docker container generation feature. If a user imports a maliciously crafted Bento archive and runs the bentoml containerize command, an attacker can execute arbitrary Python code directly on the host system, completely bypassing the intended container isolation.

Vulnerability Details

BentoML versions prior to 1.4.38 are affected. The vulnerability resides in the generate_containerfile() function within the codebase. This function uses an unsandboxed Jinja2 template engine to process user-provided Dockerfile templates. The jinja2.ext.do extension is enabled, which allows the execution of arbitrary Python statements. When processing a malicious template embedded in a Bento archive, this code executes in the context of the host machine running the BentoML CLI, not inside a container. The attack requires user interaction (running the containerize command) but no special privileges.

Impact

The primary risk is remote code execution (RCE). An attacker could craft a poisoned AI model bundle and trick a developer or MLOps engineer into importing and containerizing it. Successful exploitation grants the attacker the same privileges as the user running the BentoML command, potentially leading to full compromise of the CI/CD server, developer workstation, or deployment host. This undermines the core security promise of containerization, as the attack escapes isolation before a container is even built.

Remediation and Mitigation

The fix is available in BentoML version 1.4.38. All users must upgrade immediately using the command: pip install --upgrade bentoml>=1.4.38

Immediate Actions:

1. Upgrade: Prioritize upgrading all development, CI/CD, and deployment environments that use BentoML.
2. Audit Sources: Only containerize Bento bundles from trusted and verified sources. Treat externally sourced model archives with high suspicion.
3. Network Controls: As the attack vector is network-based (downloading an archive), restrict outbound connections from build servers to only necessary, trusted repositories.

Until the patch is applied, avoid using the containerize command on any Bento archive from an unverified origin. For broader context on supply chain attacks, recent incidents are detailed in our breach reports.

Security Insight

This vulnerability highlights the escalating risks in the AI/ML toolchain, where complex packaging and deployment utilities can introduce critical supply chain weaknesses. Similar to past incidents in other DevOps tools, it shows how a seemingly innocuous templating feature can become a severe execution bypass. The flaw underscores that security in MLOps platforms must extend beyond model safety to include the integrity of the entire packaging and deployment pipeline itself.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs