AI Threat Alert
If your team builds BentoML packages from external or community-sourced bentofiles, upgrade to 1.4.34 immediately — a malicious bentofile.yaml can silently exfiltrate SSH keys, .env files, and credentials into your bento archive before it reaches a registry. The real risk is supply chain: a compromised open-source model repo can trigger credential theft during a routine CI/CD build. Patch first, then audit any bento archives built from untrusted sources for unexpected file inclusions.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| bentoml | pip | < 1.4.34 | 1.4.34 |
| bentoml | pip | — | No patch |
Severity & Risk
Recommended Action
- 1. Patch: Upgrade BentoML to >= 1.4.34 immediately across all build environments. 2. Audit: Inspect bento archives built on affected versions for unexpected non-model files — scan for .ssh, .env, credentials, and config files outside expected directory structures. 3. Trust controls: Never run bentoml build on untrusted bentofiles without prior code review of all file path fields. 4. Detection: Add pre-build linting rules to validate bentofile.yaml path fields against strict allowlists, failing builds on path traversal patterns (e.g., ../). 5. CI/CD hygiene: Ensure build environments are ephemeral, isolated, and credentials are injected via secrets managers rather than stored as on-disk files accessible during builds. 6. Registry audit: Review push history for model registries that received artifacts built by BentoML < 1.4.34 and rotate any credentials that may have been co-located on build hosts.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. Version 1.4.34 contains a patch for the issue.
Exploitation Scenario
An adversary publishes a popular open-source ML project on GitHub with a crafted bentofile.yaml where the docker.setup_script field contains a path traversal payload pointing to ../../../../home/user/.ssh/id_rsa or a cloud credentials file. A developer or CI/CD pipeline clones the repo and runs bentoml build to package the model for deployment — standard MLOps workflow. BentoML follows the traversal path and silently embeds the SSH private key inside the bento archive without any warning. The team pushes the archive to a shared or public model registry. The adversary pulls the archive and extracts the embedded credential, enabling lateral movement into production infrastructure or cloud environments.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N References
- github.com/advisories/GHSA-6r62-w2q3-48hf
- github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4
- github.com/bentoml/BentoML/releases/tag/v1.4.34
- github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf
- nvd.nist.gov/vuln/detail/CVE-2026-24123
- github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4 Patch
- github.com/bentoml/BentoML/releases/tag/v1.4.34 Product Release
- github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf Vendor