CVE-2026-34940
published 2026-04-06CVE-2026-34940: KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.45%
35.8th percentile
KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | kubeai-project_kubeai | >= 0 < 0.23.2 | 0.23.2 |
| kubeai-project | kubeai | < 0.23.2 | 0.23.2 |
| kubeai | kubeai | < 0.23.2 | 0.23.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation or update of Model custom resources in Kubernetes clusters running KubeAI, particularly where model URL components (ref, modelParam) contain shell metacharacters or command injection payloads ↗
- →Inspect the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go for unsanitized use of fmt.Sprintf with model URL components (ref, modelParam) passed into a bash -c startup probe command ↗
- →Alert on Kubernetes startup probe commands (bash -c) in model server pods that contain unexpected shell operators or subshell constructs, which may indicate command injection via a malicious Model CR ↗
- ·Vulnerability affects KubeAI versions prior to 0.23.2; upgrade to 0.23.2 or later to remediate ↗
- ·Exploitation requires the attacker to have permissions to create or update Model custom resources in the Kubernetes cluster ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods in github.com/kubeai-project/kubeai
osv·2026-04-06
CVE-2026-34940 KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods in github.com/kubeai-project/kubeai
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods in github.com/kubeai-project/kubeai
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods in github.com/kubeai-project/kubeai
GHSA
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods
ghsa·2026-04-01
CVE-2026-34940 [HIGH] CWE-78 KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods
## CHAMP: Description
### Summary
The `ollamaStartupProbeScript()` function in `internal/modelcontroller/engine_ollama.go` constructs a shell command string using `fmt.Sprintf` with unsanitized model URL components (`ref`, `modelParam`). This shell command is executed via `bash -c` as a Kubernetes startup probe. An attacker who can create or update `Model` custom resources can inject arbitrary shell commands that execute inside model server pods.
### Details
The `parseModelURL()` function in `internal/modelcontroller/model_source.go` uses a regex (`^([a-z0-9]+):\/\/([^?]+)(\?.*)?$`) to parse model URLs. The `ref` component (capture group 2) matches `[^?]+`, allowi
OSV
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods
osv·2026-04-01
CVE-2026-34940 [HIGH] KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods
## CHAMP: Description
### Summary
The `ollamaStartupProbeScript()` function in `internal/modelcontroller/engine_ollama.go` constructs a shell command string using `fmt.Sprintf` with unsanitized model URL components (`ref`, `modelParam`). This shell command is executed via `bash -c` as a Kubernetes startup probe. An attacker who can create or update `Model` custom resources can inject arbitrary shell commands that execute inside model server pods.
### Details
The `parseModelURL()` function in `internal/modelcontroller/model_source.go` uses a regex (`^([a-z0-9]+):\/\/([^?]+)(\?.*)?$`) to parse model URLs. The `ref` component (capture group 2) matches `[^?]+`, allowi
No detection rules found.
No public exploits indexed.
2026-04-06
Published