CVE-2026-15035 openllm vulnerability
A vulnerability was found in bentoml OpenLLM 0.6.30. This affects the function async_run_command of the file src/openllm/common.py of the component Model Repository Directory Name Handler. Performing a manipulation of the argument cmd results in command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Quick answer
bentoml openllm should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- 0.6.30
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
CVE-2026-15035 affects BentoML OpenLLM 0.6.30 where model repository directory names can influence shell command construction in local model-serving workflows. The issue requires local execution or use of an attacker-controlled model repository, but the reported exploit path can lead to command injection on the machine running OpenLLM. The upstream GitHub issue and related pull request were still open at review time, so do not assume a released fix unless the maintainer has published one for your installation. Until a maintainer-supported patched release is available, avoid untrusted model repositories, isolate OpenLLM execution, and apply only reviewed vendor or maintainer-approved patches.
- Inventory OpenLLM installations, developer workstations, notebooks, CI jobs, and servers that run or serve model repositories.
- Identify whether OpenLLM 0.6.30 is installed and whether users can run models from repositories or directory names they do not fully control.
- Stop using untrusted model repositories and remove any repository directories with shell metacharacters or unexpected names.
- Upgrade to a maintainer-supported patched OpenLLM release when available, or apply a reviewed upstream patch only through the normal change process.
- Run OpenLLM under a low-privilege user in a container, virtual environment, or sandbox with no broad filesystem or cloud credential access.
- Review shell history, process execution logs, CI logs, and model-serving logs for unexpected commands launched during OpenLLM runs.
- Rotate local tokens, API keys, SSH keys, and cloud credentials if an untrusted model repository was executed on the host.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the installed OpenLLM version or applied patch no longer constructs model execution through a shell string.
- Confirm untrusted model repositories cannot be run in production or CI without review and isolation.
- Run a controlled test with benign unusual directory names and confirm no shell metacharacters are interpreted as commands.
- Review logs after remediation for unexpected process launches and document any host rebuild or credential rotation decisions.
- Document the maintainer issue or release used as evidence for the remediation status.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-15035?
bentoml openllm versions listed as affected should be reviewed: 0.6.30.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
