{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34940", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T17:27:08.660Z", "datePublished": "2026-04-06T15:49:06.918Z", "dateUpdated": "2026-04-07T14:12:56.555Z"}, "containers": {"cna": {"title": "KubeAI has an OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr"}], "affected": [{"vendor": "kubeai-project", "product": "kubeai", "versions": [{"version": "< 0.23.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:49:06.918Z"}, "descriptions": [{"lang": "en", "value": "KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2."}], "source": {"advisory": "GHSA-324q-cwx9-7crr", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:12:53.251491Z", "id": "CVE-2026-34940", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:12:56.555Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34940", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T14:12:53.251491Z"}}}], "references": [{"url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:12:47.242Z"}}], "cna": {"title": "KubeAI has an OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods", "source": {"advisory": "GHSA-324q-cwx9-7crr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "kubeai-project", "product": "kubeai", "versions": [{"status": "affected", "version": "< 0.23.2"}]}], "references": [{"url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "name": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:49:06.918Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34940", "state": "PUBLISHED", "dateUpdated": "2026-04-07T14:12:56.555Z", "dateReserved": "2026-03-31T17:27:08.660Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T15:49:06.918Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2."}], "id": "CVE-2026-34940", "lastModified": "2026-04-07T15:17:40.593", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T16:16:37.870", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.23.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "kubeai", "vendor": "kubeai-project"}], "analysis": {"en": {"generated_at": "2026-04-06T20:35:16.142928+00:00", "value": {"mitigation_remediation": ["Upgrade KubeAI to version 0.23.2 or later", "Restrict permissions on Model custom resources to trusted users only", "Review existing Model CRs for suspicious URLs and remove or sanitize them", "Deploy network policies that limit outbound connections from model pods if feasible"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects all releases of the kubeai-project:kubeai operator prior to version 0.23.2. Any Kubernetes cluster that has the KubeAI operator deployed and allows users to create or update Model custom resources is at risk. The vulnerability is tied to the Ollama engine\u2019s startup probe script that constructs a shell command based on URL parameters.\n\nSysadmins using KubeAI 0.23.1 or earlier, especially in environments where developers have unrestricted access to Model resources, should verify that their RBAC policies limit such permissions. The issue does not depend on the underlying Kubernetes version but on the operator\u2019s version and the presence of model\u2011URL manipulation.\n\nRisk assessment indicates a high\u2011severity remote code execution scenario. Without a CVSS score, the exact numeric risk remains undefined, but the lack of sanitization in a privileged shell command typically yields a severity rating of 9+ on a 10\u2011point scale. Exploitation requires only the ability to supply a malicious URL to the model configuration; no additional external conditions are documented.", "description_and_impact": "An attacker who can create or update a Model custom resource can inject arbitrary shell commands through unsanitized components of the model URL that are incorporated into a bash command executed by the Ollama engine startup probe. This establishes an OS command injection flaw (CWE-78) that allows the attacker to run any command within the model server pod.\n\nThe misuse of fmt.Sprintf without input validation means the injected payload is executed with the privileges of the pod\u2019s process. If the pod runs as a privileged user or the container image allows escalation, the attacker may gain control over the host node, compromising confidentiality, integrity, and availability of the cluster.\n\nThe vulnerability has no publicly available CVSS score and the EPSS data is missing; it is not listed in the CISA KEV catalog. Likely attack vector is exhausting the Kubernetes API to create or modify a Model CR, which requires permissions typically granted to developers or cluster administrators. Once the vulnerable probe runs, the attacker can execute any shell command inside the pod, potentially escalating to node or cluster\u2011wide impact if privileges are high.", "risk_and_exploitability": "The vulnerability cannot be exploited without permission to create or modify a Model custom resource, a role usually reserved for developers or cluster administrators. Once granted, the attacker can inject commands into the startup probe\u2019s bash invocation, leading to arbitrary command execution within the pod. Due to the requirement of a Kubernetes API request, local network access to the API server alone may suffice if RBAC is permissive.\n\nSince this issue is not cataloged in KEV or listed with a concrete EPSS score, it may have not yet attracted widespread exploitation. Nonetheless, the potential for full pod or node compromise justifies treating it as a critical exposure.\n\nAttackers could use the injected payload to install backdoors, exfiltrate data, or further pivot within the cluster. The OS command injection path is distinct from other known KubeAI weaknesses, specifically making the model URL processing a critical control point."}}}}, "created": "2026-04-06T21:31:49.586979+00:00", "updated": "2026-04-07T09:39:18.264561+00:00", "vendors": ["kubeai-project", "kubeai-project$PRODUCT$kubeai"]}