CVE Catalog

CVE-2026-5530

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile - higher than 22% of all known CVEs

Summary

A vulnerability has been found in Ollama up to version 0.18.1 in the Model Pull API component, specifically in the file server/download.go. It allows remote attackers to perform a Server-Side Request Forgery (SSRF) attack through manipulation of an unknown process.

Risk Assessment

An attacker can exploit this vulnerability to make the Ollama server send requests to internal network resources, potentially leading to unauthorized data access or further system compromise.

Recommendation

It is recommended to immediately update Ollama to a version newer than 0.18.1 if available, or apply temporary network restrictions to limit access to the Model Pull API.

Original NVD description (English source)

A flaw has been found in Ollama up to 0.18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS