GHSA-w2pm-x38x-jp44: Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)
Summary
A vulnerability in BentoML allows command injection through environment variable names in bentofile.yaml files. When a user runs `bentoml containerize` (the command that builds a container image) on a malicious bento configuration, unquoted environment variable names get inserted into the generated Dockerfile, allowing attackers to execute arbitrary commands on the build host during the `docker build` process. This is a sibling vulnerability to two earlier command injection bugs (CVE-2026-33744 and CVE-2026-35043) that were patched for a different field but missed this one.
Solution / Mitigation
The source suggests two fixes in `base_v2.j2` lines 71-73: (1) Apply the `bash_quote` filter to `env.name` in both the `ARG` and `ENV` lines: `ARG {{ env.name | bash_quote }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}` and `ENV {{ env.name | bash_quote }}=${{ env.name | bash_quote }}`; or (2) Better approach: validate at the schema level by adding `attr.validators.matches_re(r"^[A-Za-z_][A-Za-z0-9_]*$")` to the `name` field in `bentoml/_internal/bento/build_config.py:BentoEnvSchema` to reject newline and shell-metacharacter values when the config is loaded.
Vulnerability Details
EPSS: 0.0%
Yes
May 11, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-w2pm-x38x-jp44
First tracked: May 11, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%