An attacker who can create or update a Model custom resource can inject arbitrary shell commands through unsanitized components of the model URL that are incorporated into a bash command executed by the Ollama engine startup probe. This establishes an OS command injection flaw (CWE-78) that allows the attacker to run any command within the model server pod. The misuse of fmt.Sprintf without input validation means the injected payload is executed with the privileges of the pod’s process. If the pod runs as a privileged user or the container image allows escalation, the attacker may gain control over the host node, compromising confidentiality, integrity, and availability of the cluster. The vulnerability has no publicly available CVSS score and the EPSS data is missing; it is not listed in the CISA KEV catalog. Likely attack vector is exhausting the Kubernetes API to create or modify a Model CR, which requires permissions typically granted to developers or cluster administrators. Once the vulnerable probe runs, the attacker can execute any shell command inside the pod, potentially escalating to node or cluster‑wide impact if privileges are high.

The flaw affects all releases of the kubeai-project:kubeai operator prior to version 0.23.2. Any Kubernetes cluster that has the KubeAI operator deployed and allows users to create or update Model custom resources is at risk. The vulnerability is tied to the Ollama engine’s startup probe script that constructs a shell command based on URL parameters. Sysadmins using KubeAI 0.23.1 or earlier, especially in environments where developers have unrestricted access to Model resources, should verify that their RBAC policies limit such permissions. The issue does not depend on the underlying Kubernetes version but on the operator’s version and the presence of model‑URL manipulation. Risk assessment indicates a high‑severity remote code execution scenario. Without a CVSS score, the exact numeric risk remains undefined, but the lack of sanitization in a privileged shell command typically yields a severity rating of 9+ on a 10‑point scale. Exploitation requires only the ability to supply a malicious URL to the model configuration; no additional external conditions are documented.

The vulnerability cannot be exploited without permission to create or modify a Model custom resource, a role usually reserved for developers or cluster administrators. Once granted, the attacker can inject commands into the startup probe’s bash invocation, leading to arbitrary command execution within the pod. Due to the requirement of a Kubernetes API request, local network access to the API server alone may suffice if RBAC is permissive. Since this issue is not cataloged in KEV or listed with a concrete EPSS score, it may have not yet attracted widespread exploitation. Nonetheless, the potential for full pod or node compromise justifies treating it as a critical exposure. Attackers could use the injected payload to install backdoors, exfiltrate data, or further pivot within the cluster. The OS command injection path is distinct from other known KubeAI weaknesses, specifically making the model URL processing a critical control point.