CVE-2026-34940
Published: 06 April 2026
Summary
CVE-2026-34940 is a high-severity OS Command Injection (CWE-78) vulnerability in Kubeai Kubeai. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the command injection flaw by upgrading KubeAI to version 0.23.2 or later, directly eliminating the unsanitized input vulnerability.
Mandates validation of model URL components (ref, modelParam) prior to constructing shell commands, preventing arbitrary command injection in startup probes.
Enforces least privilege for creating or updating Model custom resources, limiting the attack surface to only authorized high-privilege users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via unsanitized input into bash -c in Kubernetes operator enables arbitrary Unix shell execution (T1059.004) and exploitation of the KubeAI application over the network (T1190).
NVD Description
KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a…
more
Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2.
Deeper analysisAI
CVE-2026-34940 is a command injection vulnerability (CWE-78) affecting KubeAI, an AI inference operator for Kubernetes, in versions prior to 0.23.2. The issue resides in the ollamaStartupProbeScript() function within internal/modelcontroller/engine_ollama.go, which constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref and modelParam). This command is then executed via bash -c as part of a Kubernetes startup probe for model server pods.
An attacker with privileges to create or update Model custom resources can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows injection of arbitrary shell commands that execute with the privileges of the model server pods, potentially leading to high confidentiality and integrity impacts across the scoped cluster, as indicated by the CVSS score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N).
The vulnerability is fixed in KubeAI version 0.23.2. Security practitioners should upgrade to this version or later, as detailed in the GitHub Security Advisory at https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr.
This vulnerability is particularly relevant to AI/ML workloads, as KubeAI manages inference operations on Kubernetes clusters, highlighting risks in operator-managed AI deployments. No public information on real-world exploitation is available.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai