Executive Summary

CVE-2026-34940 is a high-severity OS command injection vulnerability in the KubeAI project's Ollama Engine startup probe. The vulnerability occurs because the function ollamaStartupProbeScript() constructs a shell command string by directly inserting unsanitized components of a model URL (specifically the ref and modelParam fields) into a command executed via bash -c as a Kubernetes startup probe.

An attacker who can create or update Model custom resources (CRDs) can inject arbitrary shell commands through these unsanitized URL components. These commands then execute inside model server pods, potentially allowing the attacker to run any command within those pods.

The vulnerability arises because the ref component allows shell metacharacters like ;, |, $(), and backticks, and the modelParam is completely unsanitized. This enables command injection attacks via specially crafted model URLs.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with permissions to create or update Model CRDs to execute arbitrary commands inside model server pods.

• Execution of arbitrary shell commands within pods.
• Potential unauthorized access to secrets and service account tokens.
• Lateral movement within the Kubernetes cluster.
• Compromise of the model serving infrastructure.

In multi-tenant Kubernetes environments, this can lead to significant security breaches and loss of control over cluster resources.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting Kubernetes Model custom resources (CRDs) for suspicious or malformed model URLs that contain shell metacharacters such as ;, |, $(), or backticks in the ref or modelParam fields.

Additionally, reviewing the startup probe definitions in model server pods to check if they use bash -c with unsanitized inputs can help identify vulnerable deployments.

Commands to detect potential exploitation or presence of injected commands inside pods might include:

• kubectl get models -o yaml | grep -E 'ref:.*[;|$`()]|model=.*[;|$`()]' # Search for suspicious characters in Model CRDs
• kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{.spec.containers[*].startupProbe.exec.command}{"\n"}{end}' | grep 'bash -c' # Find pods using bash -c in startup probes
• kubectl exec <pod-name> -- ps aux | grep -E 'id|curl|whoami' # Check running processes for suspicious commands

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows arbitrary command execution within model server pods by any user with RBAC permissions to create or update Model custom resources. In multi-tenant Kubernetes environments, this can lead to unauthorized access to secrets, service account tokens, lateral movement within the cluster, and compromise of the model serving infrastructure.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and protection against unauthorized system access.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade KubeAI to version 0.23.2 or later, where this vulnerability is fixed.

Until upgrading, restrict RBAC permissions to prevent untrusted users from creating or updating Model custom resources, as this is the attack vector.

Avoid using startup probes that execute shell commands via bash -c with unsanitized inputs. Instead, use exec probes that pass command arguments as separate array elements to avoid shell interpretation.

Validate or sanitize model URL components (ref and modelParam) to allow only safe characters such as alphanumeric, slashes, colons, dots, and hyphens before they are used in commands.

Useful 0 Not Useful 0