Two newly disclosed high-severity vulnerabilities in Ollama for Windows, CVE-2026-42248 and CVE-2026-42249, allow attackers to silently deliver and persistently execute malicious code on affected systems by exploiting a fundamentally broken update mechanism, with no user interaction required.
Published on April 29, 2026, these flaws affect Ollama versions 0.12.10 through 0.17.5 and represent a critical supply chain risk for AI developers and enterprise teams running local large language model (LLM) infrastructure on Windows.
Ollama is a widely adopted open-source platform that lets developers and organizations run large language models locally, including Meta’s Llama, Mistral, and other AI models, directly on their machines.
Its growing adoption in enterprise AI pipelines and developer workflows makes these vulnerabilities especially dangerous: attackers targeting Ollama can pivot from a compromised update channel to persistent code execution across an entire organization’s AI infrastructure without triggering traditional endpoint alerts.
CVE-2026-42248:
The first vulnerability, CVE-2026-42248 (CWE-494: Download of Code Without Integrity Check), exposes a fundamental design flaw in the Windows-specific update routine.
Unlike the Linux and macOS builds of Ollama, the Windows implementation of the update verification function unconditionally returns a success status, meaning it never actually validates the digital signature or cryptographic integrity of any downloaded executable before staging or running it.
This means that any attacker capable of intercepting or influencing Ollama’s update traffic through a man-in-the-middle (MITM) attack, DNS spoofing, or a compromised update server can substitute a malicious binary for a legitimate update payload.
The application will accept and execute the attacker-supplied file without question. Adding to the severity, Ollama for Windows performs silent automatic updates, allowing this malicious payload to be installed and executed entirely without user awareness or approval.
| CVE | CWE | CVSS 4.0 | Affected Platform | Silent Auto-Update? |
|---|---|---|---|---|
| CVE-2026-42248 | CWE-494 | High | Windows only | Yes |
| CVE-2026-42249 | CWE-494 / CWE-22 | 7.7 High | Windows only | Yes |
CVE-2026-42249: Path Traversal Enables Arbitrary File Write
The second vulnerability, CVE-2026-42249 (CWE-494 + CWE-22: Path Traversal), compounds the danger by allowing attackers to control where malicious files are written on the victim’s filesystem.
When Ollama for Windows processes update responses, it constructs local file paths using values derived directly from attacker-controlled HTTP response headers, and those values are passed unvalidated to filepath.Join.
Because no sanitization strips path traversal sequences (../), an attacker can write arbitrary executables to any location accessible to the current user, including the Windows Startup directory.
Files dropped into the Startup folder are automatically executed every time the user logs in, providing a reliable persistence mechanism. This means an attacker doesn’t just achieve a one-time code execution; they establish persistent, recurring code execution that survives reboots without any further interaction.
The most critical threat scenario emerges when both vulnerabilities are chained together. An attacker first exploits CVE-2026-42249 to write a malicious executable to the Windows Startup directory (or another privileged path) via a path-traversal flaw.
They then rely on CVE-2026-42248 to ensure that Ollama accepts and executes the unsigned payload without raising any integrity alarms. Because Ollama handles updates silently and automatically, the entire attack from payload delivery to persistence establishment requires zero clicks and zero user awareness.
This type of exploit chain closely parallels other recent CWE-494 incidents, including CVE-2026-25961 in SumatraPDF and CVE-2025-15556 in Notepad++, where broken update mechanisms allowed network attackers to achieve arbitrary code execution through intercepted or poisoned update channels.
Affected Versions and Disclosure Timeline
CERT Polska confirmed that Ollama versions 0.12.10 through 0.17.5 are vulnerable based on direct testing. Versions outside this range were not tested and may also be affected.
The Ollama project maintainers were notified early in the coordinated disclosure process. Still, they did not provide patch details or a confirmed vulnerable version range, which is why CERT Polska proceeded to public disclosure.
This lack of vendor response raises significant concerns about Ollama’s security posture and patch readiness for enterprise users.
Mitigations
Until an official patch is released, security teams and individual users should take the following immediate steps:
- Disable automatic updates in Ollama’s Windows configuration to prevent silent payload staging
- Block Ollama’s update traffic at the network perimeter or via host-based firewall rules, restricting outbound connections from the Ollama process
- Monitor the Windows Startup directory (
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) for unexpected file writes using EDR or file integrity monitoring - Enable exploit protection through Microsoft Defender for Endpoint to reduce the attack surface on Windows hosts
- Audit Ollama deployments for public-facing exposure, as prior vulnerabilities like CNVD-2025-04094 showed that Ollama API ports exposed to the internet can be accessed without authentication
- Upgrade Ollama to any version above 0.17.5 once the vendor confirms an official patched release
FAQ
Q1: What is CVE-2026-42248?
It is a critical Ollama for Windows flaw (CWE-494) in which the update routine skips all signature and integrity checks, allowing attackers to execute malicious update payloads silently.
Q2: How does CVE-2026-42249 enable persistence?
It exploits unvalidated HTTP response headers in Ollama’s updater to write attacker-controlled executables via path traversal directly into the Windows Startup folder, achieving automatic reboot persistence.
Q3: Are Linux or macOS Ollama users affected?
No, both CVE-2026-42248 and CVE-2026-42249 exclusively affect the Windows implementation of Ollama’s update mechanism, as the flawed verification routine is Windows-specific.
Q4: Is there a patch available?
As of April 29, 2026, no official patch has been confirmed, as Ollama maintainers did not respond during the coordinated disclosure process with CERT Polska.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
