{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34940", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T17:27:08.660Z", "datePublished": "2026-04-06T15:49:06.918Z", "dateUpdated": "2026-04-16T13:45:47.027Z"}, "containers": {"cna": {"title": "KubeAI has an OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr"}], "affected": [{"vendor": "kubeai-project", "product": "kubeai", "versions": [{"version": "< 0.23.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T21:05:51.281Z"}, "descriptions": [{"lang": "en", "value": "KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2."}], "source": {"advisory": "GHSA-324q-cwx9-7crr", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:45:38.794191Z", "id": "CVE-2026-34940", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:45:47.027Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34940", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T13:45:38.794191Z"}}}], "references": [{"url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:12:47.242Z"}}], "cna": {"title": "KubeAI has an OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods", "source": {"advisory": "GHSA-324q-cwx9-7crr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kubeai-project", "product": "kubeai", "versions": [{"status": "affected", "version": "< 0.23.2"}]}], "references": [{"url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "name": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T21:05:51.281Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34940", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:45:47.027Z", "dateReserved": "2026-03-31T17:27:08.660Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T15:49:06.918Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubeai:kubeai:*:*:*:*:*:kubernetes:*:*", "matchCriteriaId": "81310778-51DF-4D61-9DA1-73EAC537BDCF", "versionEndExcluding": "0.23.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2."}], "id": "CVE-2026-34940", "lastModified": "2026-04-15T21:17:27.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T16:16:37.870", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.23.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "kubeai", "vendor": "kubeai-project"}], "analysis": {"en": {"generated_at": "2026-04-17T09:29:39.931073+00:00", "value": {"mitigation_remediation": ["Upgrade KubeAI to version 0.23.2 or later.", "Restrict creation and modification of Model custom resources to trusted users using Kubernetes RBAC.", "Enable audit logging for creation or updates of Model custom resources to detect unauthorized changes."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects KubeAI deployments running any version before 0.23.2, specifically within the Ollama engine startup probe configuration. Administrators should verify the KubeAI version in use and assess whether custom Model resources are exposed to untrusted users.", "description_and_impact": "KubeAI, an AI inference operator for Kubernetes, has a flaw in versions prior to 0.23.2 that allows an attacker\u2014one who can create or update Model custom resources\u2014to inject arbitrary shell commands into the startup probe script. The shell command incorporates unsanitized model URL components, enabling execution of any command within the model server pod. This vulnerability is a CWE-78 OS Command Injection.", "risk_and_exploitability": "With a CVSS score of 8.7, the issue is high severity; however, the EPSS score of less than 1% indicates a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits. The likely attack vector requires privileged access to the Kubernetes cluster to create or edit Model custom resources, a privilege typically governed by RBAC. If RBAC is misconfigured, an attacker can immediately trigger command injection and gain unrestricted execution inside model pods."}}}}, "created": "2026-04-06T21:31:49.586979+00:00", "updated": "2026-04-17T09:30:14.491067+00:00", "vendors": ["kubeai-project", "kubeai-project$PRODUCT$kubeai"]}