Cyber Resilience

CVE-2026-34940

HighPublic PoCRCE

Published: 06 April 2026

Published
06 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0045 35.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34940 is a high-severity OS Command Injection (CWE-78) vulnerability in Kubeai Kubeai. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34940 is a command injection vulnerability (CWE-78) affecting KubeAI, an AI inference operator for Kubernetes, in versions prior to 0.23.2. The issue resides in the ollamaStartupProbeScript() function within internal/modelcontroller/engine_ollama.go, which constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref and modelParam). This command is then executed via bash -c as part of a Kubernetes startup probe for model server pods.

An attacker with privileges to create or update Model custom resources can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows injection of arbitrary shell commands that execute with the privileges of the model server pods, potentially leading to high confidentiality and integrity impacts across the scoped cluster, as indicated by the CVSS score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N).

The vulnerability is fixed in KubeAI version 0.23.2. Security practitioners should upgrade to this version or later, as detailed in the GitHub Security Advisory at https://github.com/kubeai-project/kubeai/security/advisories/GHSA-324q-cwx9-7crr.

This vulnerability is particularly relevant to AI/ML workloads, as KubeAI manages inference operations on Kubernetes clusters, highlighting risks in operator-managed AI deployments. No public information on real-world exploitation is available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

KubeAI is an AI inference operator for kubernetes. Prior to 0.23.2, the ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a…

more

Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods. This vulnerability is fixed in 0.23.2.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection via unsanitized input into bash -c in Kubernetes operator enables arbitrary Unix shell execution (T1059.004) and exploitation of the KubeAI application over the network (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2026-30861Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78

Affected Assets

kubeai
kubeai
≤ 0.23.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the command injection flaw by upgrading KubeAI to version 0.23.2 or later, directly eliminating the unsanitized input vulnerability.

prevent

Mandates validation of model URL components (ref, modelParam) prior to constructing shell commands, preventing arbitrary command injection in startup probes.

prevent

Enforces least privilege for creating or updating Model custom resources, limiting the attack surface to only authorized high-privilege users.

References