Ollama Vulnerability Exposed: Critical Security Flaw Allows Remote Code Execution

Cybersecurity researchers have discovered a critical vulnerability in Ollama, the popular open-source tool that allows users to run large language models locally on their machines. The flaw, dubbed Bleeding Llama and tracked as CVE-2026-7482, carries a severe rating of 9.1 and could potentially impact over 300,000 servers worldwide. Ollama has gained significant traction in the developer community, evidenced by its impressive 171,000 stars and 16,100 forks on GitHub, making this discovery particularly concerning for its large user base.

The primary vulnerability exists in how Ollama processes GGUF files, which are the file format used to store language models. When a maliciously crafted GGUF file is sent to an Ollama server, it can trigger an out-of-bounds memory read during model creation, causing sensitive information to leak from the server's memory. An attacker could exploit this by manipulating the model size parameters in a fake GGUF file, tricking Ollama into reading beyond its allocated memory boundaries. This could expose critical data including passwords, API keys, private code, user conversations, and customer information. The attacker could then exfiltrate this leaked data by having the compromised model sent to a server under their control. The risk is amplified when Ollama integrates with tools like Claude Code, as all interactions with these tools are stored on the Ollama server and become vulnerable to theft.

Additionally, researchers at Striga identified two separate vulnerabilities specific to Ollama's Windows version that remain unpatched since being reported in January 2026. These flaws involve a path traversal issue and a missing signature verification check in the automatic update mechanism. An attacker who can intercept or redirect the update server connection could deliver a malicious update file that executes arbitrary code whenever the user logs into Windows. The path traversal vulnerability allows attackers to place persistent malicious files in the Windows Startup folder, while the absence of signature verification means these files are executed without any security validation.

Security experts strongly recommend that Ollama users immediately update to the latest version to address the Bleeding Llama vulnerability, implement network access restrictions, verify their systems are not exposed to the internet without firewall protection, and consider deploying an API gateway or proxy for additional security since Ollama lacks native authentication. For Windows users running versions 0.12.10 through 0.22.0, the recommendation is to disable automatic updates and remove the Ollama shortcut from the Startup folder to prevent unauthorized code execution. These vulnerabilities collectively represent a significant threat to organizations using Ollama for AI inference, particularly those handling sensitive data or integrating the tool into broader development workflows.

Stay secure — stay Wavasec. 🔐