Roughly 300,000 Ollama deployments are prone to sensitive information theft through a remotely exploitable, unauthenticated critical vulnerability, Cyera warns.
Ollama is an open source solution for running LLMs on local machines and is highly popular among organizations as a self-hosted AI inference engine.
A heap out-of-bounds read issue in Ollama could be exploited to access sensitive information stored on the heap, including prompts, messages, and environment variables, including API keys, tokens, and secrets, Cyera says.
Tracked as CVE-2026-7482 (CVSS score of 9.3) and dubbed Bleeding Llama, the bug affects the GGUF model loader, which accepts an attacker-supplied GGUF file containing a declared tensor offset and size larger than the file’s length.
When processing the file, the sensor reads past the allocated heap buffer, accessing memory that may contain sensitive information.
“The attacker then leverages Ollama’s built-in model push feature to exfiltrate the resulting file – complete with stolen heap data – to an attacker-controlled server. The entire attack requires only three unauthenticated API calls,” Cyera says.
The cybersecurity firm explains that Ollama launches by default without authentication, and that it listens to all network interfaces, meaning that all internet-accessible instances are prone to exploitation.
“With approximately 300,000 Ollama servers currently exposed on the public internet, this vulnerability is immediately and broadly exploitable – no credentials required,” Cyera warns.
Depending on how Ollama is used, successful exploitation of Bleeding Llama could expose employee interactions, development code, routed tool outputs, and prompts containing PII, PHI, and other sensitive information.
According to Cyera, “any deployment where Ollama is network-accessible without a firewall or authentication proxy in front of it” is at risk of exploitation.
The vulnerability was addressed in Ollama version 0.17.1. Organizations are advised to apply the fix as soon as possible and restrict network access to their deployments. Deploying an authentication proxy and network segmentation should improve security.
Organizations should also audit running instances for internet exposure and consider any instance accessible from the internet, as well as the environment variables and data passing through it, to be compromised.
Related: MetInfo, Weaver E-cology Vulnerabilities in Attackers’ Crosshairs
Related: WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities
Related: Firefox Vulnerability Allows Tor User Fingerprinting
Related: Apple Patches iOS Flaw Allowing Recovery of Deleted Chats
