Ethical Hacking News
A recent discovery has revealed a critical security vulnerability in Ollama, a widely-used framework for running large language models. The vulnerability allows a remote, unauthenticated attacker to leak sensitive data from an Ollama server, including environment variables, API keys, and system prompts. Users are strongly advised to apply the latest fixes, limit network access, and deploy authentication proxies or API gateways in front of all Ollama instances to mitigate this critical security threat.
Cybersecurity researchers have disclosed a critical security vulnerability (CVE-2026-7482) in Ollama, allowing remote, unauthenticated attackers to leak process memory. The vulnerability is attributed to a heap corruption issue in the GGUF model loader, causing out-of-bounds reads during model creation. Successful exploitation could result in sensitive data being leaked, including environment variables and API keys. Fixes are strongly advised, along with limiting network access, auditing instances for internet exposure, and isolating them behind a firewall.
Cybersecurity researchers have recently disclosed a critical security vulnerability in Ollama, a popular open-source framework that allows large language models (LLMs) to be run locally instead of on the cloud. The vulnerability, tracked as CVE-2026-7482 with a CVSS score of 9.1, could potentially allow a remote, unauthenticated attacker to leak the entire process memory of an Ollama server.
The out-of-bounds read flaw is attributed to a heap corruption issue in the GGUF model loader, which is used by Ollama to create and execute large language models from GPT-Generated Unified Format (GGUF) files. The problem arises when the /api/create endpoint accepts an attacker-supplied GGUF file with declared tensor offsets and sizes that exceed the actual length of the file. During quantization in fs/ggml/gguf.go and server/quantization.go, the server reads past the allocated heap buffer, thereby introducing a memory safety vulnerability.
In essence, an attacker can send a specially crafted GGUF file to an exposed Ollama server with the tensor's shape set to a very large number, triggering the out-of-bounds read vulnerability during model creation using the /api/create endpoint. Successful exploitation of this vulnerability could result in sensitive data being leaked from the Ollama process memory, including environment variables, API keys, system prompts, and concurrent users' conversation data.
The exploitation chain unfolds over three steps:
1. Upload a crafted GGUF file with an inflated tensor shape to a network-accessible Ollama server using an HTTP POST request.
2. Use the /api/create endpoint to activate model creation, firing the out-of-bounds read vulnerability.
3. Use the /api/push endpoint to exfiltrate data from the heap memory to an external server.
Cyera security researcher Dor Attias warned that "an attacker can learn basically anything about the organization from your AI inference — API keys, proprietary code, customer contracts, and much more." Furthermore, engineers often connect Ollama to tools like Claude Code in such cases, increasing the potential impact of this vulnerability even higher - all tool outputs flow to the Ollama server, get saved in the heap, and potentially end up in an attacker's hands.
In light of this critical security vulnerability, users are strongly advised to apply the latest fixes, limit network access, audit running instances for internet exposure, and isolate and secure them behind a firewall. Additionally, deploying an authentication proxy or API gateway in front of all Ollama instances is also recommended as the REST API does not provide authentication out of the box.
Recently, researchers at Striga detailed two vulnerabilities in Ollama's Windows update mechanism that can be chained into persistent code execution. The identified vulnerabilities relate to a missing signature verification and a path traversal vulnerability. The former flaw stems from the fact that the Windows updater creates the local path for the installer's staging directory directly from HTTP response headers without sanitizing it, thereby allowing an attacker with control over the update server to supply an arbitrary executable as part of the update process.
The vulnerabilities affect Ollama for Windows versions 0.12.10 through 0.17.5 and have been published following a 90-day disclosure period. According to Bartłomiej "Bartek" Dmitruk, co-founder of Striga, any Ollama for Windows installation running version 0.12.10 through 0.22.0 is vulnerable, as the path traversal writes attacker-chosen executables into the Windows Startup folder. The missing signature verification keeps them there: the post-write cleanup that would remove unsigned files on a working updater is a no-op on Windows.
The chain produces persistent, silent code execution at the privilege level of the user running Ollama. Realistic payloads include reverse shells, info-stealers exfiltrating browser secrets and SSH keys, or droppers that pivot to additional persistence mechanisms. Anything that runs as the current user can be compromised. Removing the dropped binary from the Startup folder ends the persistence, but the underlying flaws remain.
In conclusion, the Ollama out-of-bounds read vulnerability is a critical security threat to large language models and highlights the importance of addressing vulnerabilities in open-source frameworks before they become exploitable.
Related Information:
https://www.ethicalhackingnews.com/articles/Ollama-Out-of-Bounds-Read-Vulnerability-A-Critical-Security-Threat-to-Large-Language-Models-ehn.shtml
https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.html
https://nvd.nist.gov/vuln/detail/CVE-2026-7482
https://www.cvedetails.com/cve/CVE-2026-7482/
Published: Sun May 10 08:58:48 2026 by llama3.2 3B Q4_K_M
