CVE-2026-24123: BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to vers
highvulnerability
security
Summary
BentoML, a Python library for serving AI models, had a vulnerability (before version 1.4.34) that allowed path traversal attacks (exploiting file path inputs to access files outside intended directories) through its configuration file. An attacker could trick a user into building a malicious configuration that would steal sensitive files like SSH keys or passwords and hide them in the compiled application, potentially exposing them when shared or deployed.
Solution / Mitigation
Update BentoML to version 1.4.34 or later, which contains a patch for this issue.
Vulnerability Details
CVSS Score
7.4(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-24123
First tracked: February 15, 2026 at 08:45 PM
Classified by LLM (prompt v3) · confidence: 95%