Description
Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.
An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.

Critically, when chained with CVE‑2026‑42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.

Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Published: 2026-04-29
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ollama for Windows implements its own update mechanism, but it does not validate HTTP response headers generated by the update server. Values taken from these headers are concatenated into a local file path via filepath.Join, which allows the attacker to supply path traversal sequences such as ">/>". An attacker who can influence the update response can cause the application to write arbitrary files outside the intended update staging area, including executable binaries to the Windows Startup folder, thereby enabling automatic code execution. Chaining this flaw with CVE‑2026‑42248, which removes signature verification for updates, further allows delivery of malicious payloads that are automatically executed by the graceful update process. The primary consequence is that an attacker can execute any code on the target machine with the privileges of the user running the application, including persistence through the Startup mechanism. The weakness is a path traversal flaw (CWE‑22) combined with missing integrity checks (CWE‑494).

Affected Systems

The vulnerability affects Ollama for Windows, specifically versions 0.12.10 through 0.17.5 that were verified to be susceptible. While other releases were not examined, they are not guaranteed to be free of the flaw.

Risk and Exploitability

The CVSS score of 7.7 reflects the severity of remote code execution with no requirement for user interaction. EPSS is not available, but the flaw is exploitable through the silent automatic update process, meaning an attacker only needs to control the update server response. The issue is not listed in the CISA KEV dataset, yet its impact and automatic execution characteristics make it highly dangerous if an attacker can provide crafted update traffic. An attacker likely exploits this by hosting a malicious update server or intercepting legitimate update traffic, thereby inserting path traversal directives and malicious binaries into the update payload.

Generated by OpenCVE AI on April 29, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or remove Ollama’s automatic update feature until an official patch is released. This stops the application from fetching updates from potentially compromised update servers.
  • Enforce strict input validation on all components that construct file paths from external data, ensuring that only the intended update staging directory is used and that traversal sequences are rejected. The application should also verify that any executable written to a privileged location is signed and comes from a trusted source.
  • Monitor the Windows Startup folder and any other locations where the application may write executable files for unexpected changes, and remove any suspicious binaries immediately.

Generated by OpenCVE AI on April 29, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Ollama
Ollama ollama
Vendors & Products Ollama
Ollama ollama

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory. An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables. Critically, when chained with CVE‑2026‑42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Title Remote Code Execution in Ollama via Update Mechanism
Weaknesses CWE-22
CWE-494
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Ollama Ollama
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-29T13:20:29.799Z

Reserved: 2026-04-25T11:31:56.229Z

Link: CVE-2026-42249

cve-icon Vulnrichment

Updated: 2026-04-29T13:20:23.094Z

cve-icon NVD

Status : Received

Published: 2026-04-29T12:16:19.113

Modified: 2026-04-29T12:16:19.113

Link: CVE-2026-42249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:30:13Z

Weaknesses