DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24123: BentoML Path Traversal: Packaging Your Secrets Alongside Your AI Models

#security #cve #cybersecurity

BentoML Path Traversal: Packaging Your Secrets Alongside Your AI Models

Vulnerability ID: CVE-2026-24123
CVSS Score: 7.4
Published: 2026-01-26

A critical path traversal vulnerability in BentoML allows attackers to create malicious configuration files that, when built by a victim, silently exfiltrate sensitive local files (SSH keys, AWS credentials) into the resulting model archive. This turns standard ML build pipelines into data exfiltration engines.

TL;DR

BentoML versions before 1.4.34 fail to validate file paths in bentofile.yaml. An attacker can craft a project configuration that references absolute paths like /etc/passwd or ~/.ssh/id_rsa. When a victim runs bentoml build on this project, the targeted files are read and baked into the final artifact, allowing the attacker to steal secrets from developer machines or CI/CD pipelines.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • CVSS v3.1: 7.4 (High)
  • Attack Vector: Network / Supply Chain
  • Impact: Confidentiality (High)
  • Affected Component: bentoml build (filesystem.py)
  • Exploit Status: PoC Available

Affected Systems

  • BentoML < 1.4.34
  • CI/CD Pipelines running BentoML build steps
  • Developer workstations used for ML engineering
  • BentoML: < 1.4.34 (Fixed in: 1.4.34)

Code Analysis

Commit: 84d08cf

fix: restrict file access to build context and whitelisted paths

+ if secure:
+    if os.path.isabs(_path):
+        raise ValueError("Absolute paths are not allowed")
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Path traversal via description and docker fields in bentofile.yaml

Mitigation Strategies

  • Input Validation: Enforce path containment checks using pathlib.Path.is_relative_to.
  • Principle of Least Privilege: Run build processes in isolated containers with limited filesystem access.
  • Blocklisting: Explicitly deny access to sensitive system paths (/etc, /proc) and hidden directories (.*).

Remediation Steps:

  1. Upgrade BentoML to version 1.4.34 or higher immediately.
  2. Audit existing bentofile.yaml files in your repositories for suspicious file: directives or absolute paths.
  3. Restrict CI/CD runner permissions to minimize the impact of credential theft.

References

Read the full report for CVE-2026-24123 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)