CVE-2026-35044: BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation

April 3, 2026 (updated April 6, 2026)

The Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation.

References

github.com/advisories/GHSA-v959-cwq9-7hr6
github.com/bentoml/BentoML
github.com/bentoml/BentoML/security/advisories/GHSA-v959-cwq9-7hr6
nvd.nist.gov/vuln/detail/CVE-2026-35044

Code Behaviors & Features

Detect and mitigate CVE-2026-35044 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →