GO-2026-4920

Source
https://pkg.go.dev/vuln/GO-2026-4920
Import Source
https://vuln.go.dev/ID/GO-2026-4920.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2026-4920
Aliases
Published
2026-04-06T17:49:27Z
Modified
2026-04-06T18:17:45.225053Z
Summary
KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods in github.com/kubeai-project/kubeai
Details

KubeAI: OS Command Injection via Model URL in Ollama Engine startup probe allows arbitrary command execution in model pods in github.com/kubeai-project/kubeai

Database specific
{
    "url": "https://pkg.go.dev/vuln/GO-2026-4920",
    "review_status": "UNREVIEWED"
}
References

Affected packages

Go / github.com/kubeai-project/kubeai

Package

Name
github.com/kubeai-project/kubeai
View open source insights on deps.dev
Purl
pkg:golang/github.com/kubeai-project/kubeai

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.23.2

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/kubeai-project/kubeai/internal/modelcontroller",
            "symbols": [
                "ModelReconciler.Reconcile",
                "ollamaStartupProbeScript"
            ]
        }
    ]
}

Database specific

source
"https://vuln.go.dev/ID/GO-2026-4920.json"