Description
KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2.
Published: 2026-04-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

KubeAI, an AI inference operator for Kubernetes, has a flaw in versions prior to 0.23.2 that allows an attacker—one who can create or update Model custom resources—to inject arbitrary shell commands into the startup probe script. The shell command incorporates unsanitized model URL components, enabling execution of any command within the model server pod. This vulnerability is a CWE-78 OS Command Injection.

Affected Systems

The vulnerability affects KubeAI deployments running any version before 0.23.2, specifically within the Ollama engine startup probe configuration. Administrators should verify the KubeAI version in use and assess whether custom Model resources are exposed to untrusted users.

Risk and Exploitability

With a CVSS score of 8.7, the issue is high severity; however, the EPSS score of less than 1% indicates a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits. The likely attack vector requires privileged access to the Kubernetes cluster to create or edit Model custom resources, a privilege typically governed by RBAC. If RBAC is misconfigured, an attacker can immediately trigger command injection and gain unrestricted execution inside model pods.

Generated by OpenCVE AI on April 17, 2026 at 09:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade KubeAI to version 0.23.2 or later.
  • Restrict creation and modification of Model custom resources to trusted users using Kubernetes RBAC.
  • Enable audit logging for creation or updates of Model custom resources to detect unauthorized changes.

Generated by OpenCVE AI on April 17, 2026 at 09:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-324q-cwx9-7crr KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods
History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 0.0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}

 cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N'}

cvssV4_0

{'score': 0.0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Tue, 14 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Kubeai
Kubeai kubeai
CPEs cpe:2.3:a:kubeai:kubeai:*:*:*:*:*:kubernetes:*:*
Vendors & Products Kubeai
Kubeai kubeai
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Kubeai-project
Kubeai-project kubeai
Vendors & Products Kubeai-project
Kubeai-project kubeai

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2.
Title KubeAI has an OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Kubeai Kubeai
Kubeai-project Kubeai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T13:45:47.027Z

Reserved: 2026-03-31T17:27:08.660Z

Link: CVE-2026-34940

cve-icon Vulnrichment

Updated: 2026-04-07T14:12:47.242Z

cve-icon NVD

Status : Modified

Published: 2026-04-06T16:16:37.870

Modified: 2026-04-15T21:17:27.010

Link: CVE-2026-34940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T09:30:14Z

Weaknesses