Ollama
Products
1- 27 CVEs
Recent CVEs
25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42249 | Cri | 0.57 | 9.8 | 0.01 | Apr 29, 2026 | Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers… | ||
| CVE-2026-42248 | Cri | 0.57 | 9.8 | 0.00 | Apr 29, 2026 | Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike other platforms, the Windows implementation of the update verification routine unconditionally returns success so no digital signature or trust validation is… | ||
| CVE-2026-7482 | Cri | 0.52 | 9.1 | 0.01 | May 4, 2026 | Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go… | ||
| CVE-2024-12886 | Hig | 0.49 | 7.5 | 0.01 | Mar 20, 2025 | An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the `ollama` server crashing. The vulnerability is present in the… | ||
| CVE-2026-5530 | Med | 0.41 | 6.3 | 0.00 | Apr 5, 2026 | A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted… | ||
| CVE-2026-7020 | Low | 0.17 | 3.7 | 0.01 | Apr 26, 2026 | A security flaw has been discovered in Ollama up to 0.20.2. This affects the function digestToPath of the file x/imagegen/transfer/transfer.go of the component Tensor Model Transfer Handler. The manipulation of the argument digest results in path traversal. The attack may be… | ||
| CVE-2024-39719 | 0.04 | — | 0.04 | Oct 31, 2024 | An issue was discovered in Ollama through 0.3.14. File existence disclosure can occur via api/create. When calling the CreateModel route with a path parameter that does not exist, it reflects the "File does not exist" error message to the attacker, providing a primitive for file… | |||
| CVE-2024-37032 | 0.03 | — | 0.90 | May 31, 2024 | Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring. | |||
| CVE-2025-66960 | 0.00 | — | 0.00 | Jan 21, 2026 | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata | |||
| CVE-2025-66959 | 0.00 | — | 0.05 | Jan 21, 2026 | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder | |||
| CVE-2025-15514 | 0.00 | — | 0.01 | Jan 12, 2026 | Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded… | |||
| CVE-2025-63389 | 0.00 | — | 0.01 | Dec 18, 2025 | A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management… | |||
| CVE-2025-44779 | 0.00 | — | 0.00 | Aug 7, 2025 | An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull. | |||
| CVE-2025-51471 | 0.00 | — | 0.04 | Jul 22, 2025 | Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint. | |||
| CVE-2025-1975 | 0.00 | — | 0.00 | May 16, 2025 | A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. This is due to improper validation of array index access when downloading a model via the /api/pull… | |||
| CVE-2024-8063 | 0.00 | — | 0.01 | Mar 20, 2025 | A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for `block_count` in the Modelfile. This can lead to a denial of service (DoS) condition when the server processes the model, causing it… | |||
| CVE-2025-0312 | 0.00 | — | 0.01 | Mar 20, 2025 | A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that, when uploaded and created on the Ollama server, can cause a crash due to an unchecked null pointer dereference. This can lead to a Denial of Service (DoS)… | |||
| CVE-2025-0317 | 0.00 | — | 0.13 | Mar 20, 2025 | A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model file on the Ollama server. This can lead to a division by zero error in the ggufPadding function, causing the server to crash and resulting in a Denial of… | |||
| CVE-2025-0315 | 0.00 | — | 0.01 | Mar 20, 2025 | A vulnerability in ollama/ollama <=0.3.14 allows a malicious user to create a customized GGUF model file, upload it to the Ollama server, and create it. This can cause the server to allocate unlimited memory, leading to a Denial of Service (DoS) attack. | |||
| CVE-2024-12055 | 0.00 | — | 0.01 | Mar 20, 2025 | A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. When the server processes this malicious model, it crashes, leading to a Denial of Service (DoS) attack. The root cause of… |
- risk 0.57cvss 9.8epss 0.01
Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers…
- risk 0.57cvss 9.8epss 0.00
Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike other platforms, the Windows implementation of the update verification routine unconditionally returns success so no digital signature or trust validation is…
- risk 0.52cvss 9.1epss 0.01
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go…
- risk 0.49cvss 7.5epss 0.01
An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip bomb HTTP response, leading to the `ollama` server crashing. The vulnerability is present in the…
- risk 0.41cvss 6.3epss 0.00
A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted…
- risk 0.17cvss 3.7epss 0.01
A security flaw has been discovered in Ollama up to 0.20.2. This affects the function digestToPath of the file x/imagegen/transfer/transfer.go of the component Tensor Model Transfer Handler. The manipulation of the argument digest results in path traversal. The attack may be…
- CVE-2024-39719Oct 31, 2024risk 0.04cvss —epss 0.04
An issue was discovered in Ollama through 0.3.14. File existence disclosure can occur via api/create. When calling the CreateModel route with a path parameter that does not exist, it reflects the "File does not exist" error message to the attacker, providing a primitive for file…
- CVE-2024-37032May 31, 2024risk 0.03cvss —epss 0.90
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.
- CVE-2025-66960Jan 21, 2026risk 0.00cvss —epss 0.00
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata
- CVE-2025-66959Jan 21, 2026risk 0.00cvss —epss 0.05
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder
- CVE-2025-15514Jan 12, 2026risk 0.00cvss —epss 0.01
Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded…
- CVE-2025-63389Dec 18, 2025risk 0.00cvss —epss 0.01
A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management…
- CVE-2025-44779Aug 7, 2025risk 0.00cvss —epss 0.00
An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull.
- CVE-2025-51471Jul 22, 2025risk 0.00cvss —epss 0.04
Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint.
- CVE-2025-1975May 16, 2025risk 0.00cvss —epss 0.00
A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. This is due to improper validation of array index access when downloading a model via the /api/pull…
- CVE-2024-8063Mar 20, 2025risk 0.00cvss —epss 0.01
A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for `block_count` in the Modelfile. This can lead to a denial of service (DoS) condition when the server processes the model, causing it…
- CVE-2025-0312Mar 20, 2025risk 0.00cvss —epss 0.01
A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that, when uploaded and created on the Ollama server, can cause a crash due to an unchecked null pointer dereference. This can lead to a Denial of Service (DoS)…
- CVE-2025-0317Mar 20, 2025risk 0.00cvss —epss 0.13
A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model file on the Ollama server. This can lead to a division by zero error in the ggufPadding function, causing the server to crash and resulting in a Denial of…
- CVE-2025-0315Mar 20, 2025risk 0.00cvss —epss 0.01
A vulnerability in ollama/ollama <=0.3.14 allows a malicious user to create a customized GGUF model file, upload it to the Ollama server, and create it. This can cause the server to allocate unlimited memory, leading to a Denial of Service (DoS) attack.
- CVE-2024-12055Mar 20, 2025risk 0.00cvss —epss 0.01
A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. When the server processes this malicious model, it crashes, leading to a Denial of Service (DoS) attack. The root cause of…