Roughly 300,000 Ollama deployments are liable to delicate data theft by way of a remotely exploitable, unauthenticated vital vulnerability, Cyera warns.
Ollama is an open supply answer for working LLMs on native machines and is extremely widespread amongst organizations as a self-hosted AI inference engine.
A heap out-of-bounds learn difficulty in Ollama may very well be exploited to entry delicate data saved on the heap, together with prompts, messages, and setting variables, together with API keys, tokens, and secrets and techniques, Cyera says.
Tracked as CVE-2026-7482 (CVSS rating of 9.3) and dubbed Bleeding Llama, the bug impacts the GGUF mannequin loader, which accepts an attacker-supplied GGUF file containing a declared tensor offset and measurement bigger than the file’s size.
When processing the file, the sensor reads previous the allotted heap buffer, accessing reminiscence that will comprise delicate data.
“The attacker then leverages Ollama’s built-in mannequin push function to exfiltrate the ensuing file – full with stolen heap information – to an attacker-controlled server. The complete assault requires solely three unauthenticated API calls,” Cyera says.
The cybersecurity agency explains that Ollama launches by default with out authentication, and that it listens to all community interfaces, which means that each one internet-accessible situations are liable to exploitation.
“With roughly 300,000 Ollama servers at present uncovered on the general public web, this vulnerability is straight away and broadly exploitable – no credentials required,” Cyera warns.
Relying on how Ollama is used, profitable exploitation of Bleeding Llama might expose worker interactions, growth code, routed instrument outputs, and prompts containing PII, PHI, and different delicate data.
In keeping with Cyera, “any deployment the place Ollama is network-accessible and not using a firewall or authentication proxy in entrance of it” is susceptible to exploitation.
The vulnerability was addressed in Ollama model 0.17.1. Organizations are suggested to use the repair as quickly as potential and prohibit community entry to their deployments. Deploying an authentication proxy and community segmentation ought to enhance security.
Organizations must also audit working situations for web publicity and take into account any occasion accessible from the web, in addition to the setting variables and information passing by way of it, to be compromised.
