CVE-2026-34940

Sažetak

KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2.

Reference

https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr
https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

07-04-2026 - 15:17

Objavljeno

06-04-2026 - 16:16