{"data":{"id":"b170c921-960c-4cdc-9de0-82cfd4a13632","title":"GHSA-w2pm-x38x-jp44: Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)","summary":"A vulnerability in BentoML allows command injection through environment variable names in bentofile.yaml files. When a user runs `bentoml containerize` (the command that builds a container image) on a malicious bento configuration, unquoted environment variable names get inserted into the generated Dockerfile, allowing attackers to execute arbitrary commands on the build host during the `docker build` process. This is a sibling vulnerability to two earlier command injection bugs (CVE-2026-33744 and CVE-2026-35043) that were patched for a different field but missed this one.","solution":"The source suggests two fixes in `base_v2.j2` lines 71-73: (1) Apply the `bash_quote` filter to `env.name` in both the `ARG` and `ENV` lines: `ARG {{ env.name | bash_quote }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}` and `ENV {{ env.name | bash_quote }}=${{ env.name | bash_quote }}`; or (2) Better approach: validate at the schema level by adding `attr.validators.matches_re(r\"^[A-Za-z_][A-Za-z0-9_]*$\")` to the `name` field in `bentoml/_internal/bento/build_config.py:BentoEnvSchema` to reject newline and shell-metacharacter values when the config is loaded.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-w2pm-x38x-jp44","publishedAt":"2026-05-11T14:27:37.000Z","cveId":"CVE-2026-44346","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["bentoml@<= 1.4.38 (fixed: 1.4.39)"],"affectedVendors":[],"affectedVendorsRaw":["BentoML"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-11T14:27:37.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}