CVE-2026-33744: BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

March 26, 2026

The docker.system_packages field in bentofile.yaml accepts arbitrary strings that are interpolated directly into Dockerfile RUN commands without sanitization. Since system_packages is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious bentofile.yaml achieves arbitrary command execution during bentoml containerize / docker build.

References

github.com/advisories/GHSA-jfjg-vc52-wqvf
github.com/bentoml/BentoML
github.com/bentoml/BentoML/security/advisories/GHSA-jfjg-vc52-wqvf
nvd.nist.gov/vuln/detail/CVE-2026-33744

Code Behaviors & Features

Detect and mitigate CVE-2026-33744 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →