CVE-2026-15035
Undergoing Analysis Undergoing Analysis - In Progress

Command Injection in BentoML OpenLLM

Vulnerability report for CVE-2026-15035, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulDB

Description

A vulnerability was found in bentoml OpenLLM 0.6.30. This affects the function async_run_command of the file src/openllm/common.py of the component Model Repository Directory Name Handler. Performing a manipulation of the argument cmd results in command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bentoml openllm 0.6.30

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15035 is a command injection vulnerability in the OpenLLM project, specifically in the async_run_command function of src/openllm/common.py. The vulnerability arises because the function uses asyncio.create_subprocess_shell to run commands by joining a list of command arguments into a single shell string without sanitizing inputs. This allows an attacker who can control model repository directory names to include shell metacharacters (such as ;, |, or $()) that get executed as commands on the victim's machine.

An attacker can exploit this vulnerability by creating a malicious model repository directory with a specially crafted name containing shell commands. When a user runs commands like 'openllm run' or 'openllm serve' using that repository, the injected shell commands execute with the user's privileges. The vulnerability requires local access to the victim's machine to exploit.

Impact Analysis

This vulnerability can lead to arbitrary command execution on your machine if you run OpenLLM commands using a maliciously named model repository directory. An attacker with local access can craft directory names that execute shell commands, potentially compromising your system.

  • Execution of arbitrary commands with the privileges of the user running OpenLLM.
  • Potential data compromise or system manipulation due to unauthorized command execution.
  • Risk of malware installation, data exfiltration, or other malicious activities triggered by the injected commands.
Detection Guidance

This vulnerability involves command injection through malicious model repository directory names when running OpenLLM commands like `openllm run` or `openllm serve`. Detection involves checking for suspicious directory names containing shell metacharacters such as `;`, `$()`, or backticks (`).

You can inspect your model repository directories for unusual or suspicious names that might include shell metacharacters.

  • Use commands like `ls -l` or `find` to list directory names and look for suspicious characters, for example: `ls -l /path/to/model/repository`
  • Check running OpenLLM processes for unexpected commands or arguments by using `ps aux | grep openllm`.
  • Monitor system logs or command history for unusual commands triggered by OpenLLM executions.
Mitigation Strategies

To mitigate this vulnerability, avoid running OpenLLM commands (`openllm run` or `openllm serve`) with untrusted or attacker-controlled model repository directories that may contain malicious directory names.

Update OpenLLM to a version that includes the security fix which replaces the vulnerable `asyncio.create_subprocess_shell` call with `asyncio.create_subprocess_exec`, preventing shell interpretation of command arguments.

As an immediate workaround, sanitize or rename model repository directory names to remove any shell metacharacters before running OpenLLM commands.

Limit local user permissions to prevent untrusted users from creating malicious directory names in model repositories.

Compliance Impact

The provided information does not specify how the CVE-2026-15035 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15035. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart