VYPR
advisoryPublished May 5, 2026· Updated May 17, 2026· 1 source

Unpatched Ollama Windows Flaws Enable Persistent RCE via Auto-Updater

Two unpatched vulnerabilities in the Ollama Windows auto-updater allow attackers to bypass signature checks and achieve persistent remote code execution by planting malicious files in the startup folder.

Researchers at Striga have identified two critical vulnerabilities in the Windows version of Ollama, an open-source tool for running large language models locally. By chaining these flaws, an attacker can bypass security checks to plant malicious executables that achieve persistence on a victim's machine, executing automatically upon every user login Help Net Security.

The vulnerability chain involves two distinct flaws: CVE-2026-42248 and CVE-2026-42249. CVE-2026-42248 is a failure in the auto-updater's signature verification process. While the code for signature verification exists, it is functionally inert, allowing the application to execute any downloaded file regardless of its origin or integrity. In contrast, the macOS version of Ollama correctly performs these code-signing checks Help Net Security.

CVE-2026-42249 is a path traversal vulnerability that occurs because the Windows updater constructs local file paths using unsanitized HTTP response headers. An attacker who can intercept or control the update response can inject ../ sequences into the ETag header. This allows them to write an arbitrary executable directly into the user's Windows Startup folder. Because the signature check (CVE-2026-42248) fails to validate the file, the system does not trigger a cleanup, and the malicious payload remains in the Startup folder, executing every time the user logs in Help Net Security.

To exploit this chain, an attacker must be able to control the update response received by the Ollama client. This can be achieved through several methods, including compromising the update infrastructure, using a local foothold to redirect the client via the OLLAMA_UPDATE_URL variable or hosts file modifications, or performing network-level interception such as DNS hijacking or TLS man-in-the-middle attacks with a forged certificate Help Net Security.

The vulnerabilities affect Ollama for Windows versions 0.12.10 through 0.17.5. Striga researchers reported these findings to the Ollama maintainers in late January 2026 but received no meaningful response. Following five weeks of silence, CERT Polska assumed responsibility for coordinating the disclosure and officially published a warning on April 29, 2026 Help Net Security.

As of the disclosure, there is no indication that the maintainers have addressed the vulnerabilities. Users are advised to remain vigilant, as the auto-update feature is enabled by default and the application is configured to run on startup. These findings highlight the risks associated with automated update mechanisms that lack robust integrity verification, a pattern that continues to pose significant security challenges for desktop software Help Net Security.

Synthesized by Vypr AI