Cybersecurity researchers say a critical flaw in Ollama could let a remote unauthenticated attacker leak the entire process memory from exposed servers, with the issue tracked as CVE-2026-7482 and given a CVSS score of 9.1.
KEY FACTS
- Flaw The heap out-of-bounds read affects Ollama before version 0.17.1.
- Impact Sensitive data in memory may be exposed, including API keys, system prompts and conversation data.
- Attack path A crafted GGUF file can trigger the issue through the /api/create endpoint.
- Exfiltration The resulting model artifact may be pushed out through the /api/push endpoint.
A technical analysis from Cyera said the flaw, codenamed Bleeding Llama, stems from Ollama’s use of unsafe memory operations while loading GGUF model files. The report said an attacker can upload a specially crafted file with an inflated tensor shape to a network-accessible server and trigger the read during model creation.
The disclosure said the exposure can include environment variables, API keys, proprietary code and other data already in memory. It also said organizations that connect Ollama to other tools may increase the amount of information available in the process heap.
Users were advised to apply the latest fixes, limit network access and place authentication in front of Ollama, since the REST API does not include it by default.
In a separate disclosure, Striga said two Windows update flaws in Ollama can be chained into persistent code execution. CERT Polska said Windows versions 0.12.10 through 0.17.5 are vulnerable to the two issues, while the report also said installations through 0.22.0 are affected.
WHY IT MATTERS
The findings show that exposed local AI servers can create both data leakage and code execution risks if they are not isolated and updated. The reports point to the need for network controls, update checks and authentication before such systems are placed on a wider network.