Critical Ollama Vulnerability Exposes 300,000 Servers to Data Theft
Key Takeaways A critical security flaw, dubbed “Bleeding Llama,” affects Ollama, a popular platform for running local AI models. The vulnerability (CVE-2026-7482) allows unauthenticated...
Key Takeaways
- A critical security flaw, dubbed “Bleeding Llama,” affects Ollama, a popular platform for running local AI models.
- The vulnerability (CVE-2026-7482) allows unauthenticated attackers to extract sensitive data, including prompts and environment variables, from memory.
- Approximately 300,000 internet-facing Ollama servers are at risk worldwide.
- A patch is available in Ollama version 0.17.1, and immediate upgrades are strongly recommended.
Critical Ollama Vulnerability Exposes 300,000 Servers to Data Theft
A severe security vulnerability has been identified in Ollama, a widely adopted platform for deploying local artificial intelligence models. This flaw jeopardizes one of the leading tools in the local AI ecosystem, potentially leading to significant data exposure across numerous deployments.
Table Of Content
Dubbed “Bleeding Llama,” the vulnerability enables unauthenticated attackers to gain access to the Ollama process and directly exfiltrate sensitive information from memory. This puts an estimated 300,000 internet-facing servers globally at risk. Exploitation is remarkably simple, requiring only three API calls to extract user prompts, system instructions, and environment variables, transforming AI infrastructure into an unforeseen vector for data leakage.
Cybersecurity researchers at Cyera discovered this issue, which has been assigned CVE-2026-7482 by the Echo CVE Numbering Authority. It carries a critical CVSS score of 9.1, indicating a substantial risk to enterprises utilizing the platform.
Understanding the “Bleeding Llama” Mechanism
Ollama facilitates the creation of model instances from uploaded files, including GGUF model files. These files are used to package tensors, metadata, and other essential model information for local inference. The core of the vulnerability lies within this model creation process, specifically how Ollama handles uploaded files via its API in preparation for conversion and saving.
Researchers found that a specially crafted GGUF file can exploit this process. By declaring a tensor shape significantly larger than the actual data contained within the file, an attacker can trick the server into reading beyond its intended buffer. This weakness manifests during tensor conversion, where Ollama leverages Go’s `unsafe` functionality for low-level memory operations, bypassing standard safety mechanisms. Since the software inadequately validates that the tensor metadata corresponds to the actual file size, the conversion routine can trigger an out-of-bounds heap read, capturing unrelated memory contents from adjacent areas.
Crucially, this leaked memory is then incorporated into the newly created model file rather than being discarded. The attack escalates in danger due to a method researchers devised to preserve the leaked memory in a readable format during conversion. By employing a float-16 source tensor and forcing a float-32 destination, attackers can leverage a lossless conversion path, ensuring the stolen bytes remain intact instead of being corrupted by lossy quantization.
Once the malicious model is successfully created, Ollama’s push functionality can be exploited to upload it to an attacker-controlled server, effectively exfiltrating the leaked memory from the compromised system. According to Cyera’s research, the exfiltrated heap data can encompass user prompts, system prompts from other models, and environment variables stored by the host running Ollama.
In an enterprise context, this could expose highly sensitive information such as API keys, internal operational instructions, proprietary code, customer-related content, and other confidential materials processed through AI workflows. The risk is further amplified when Ollama is integrated with external tools or coding assistants, as their outputs may also traverse memory and become susceptible to theft.
The vulnerability impacts all Ollama deployments prior to version 0.17.1. This version includes the necessary security fix referenced by both the researchers and Echo.
What You Should Do
- Upgrade Immediately: All organizations running Ollama should upgrade to version 0.17.1 or newer without delay.
- Remove Public Exposure: If possible, remove Ollama instances from direct internet exposure.
- Implement Authentication: Place Ollama deployments behind robust authentication controls.
- Restrict Network Access: Limit access to Ollama to trusted internal networks only.
- Review Logs and Rotate Secrets: For any internet-accessible environments, conduct a thorough review of logs, rotate all API keys and other secrets, and operate under the assumption that prompts and environment data may have already been compromised.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.