A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.
The Ollama platform exposes a range of API endpoints without requiring any authentication (CWE-306: Missing Authentication for Critical Function). Attackers can remotely, without possessing any credentials, directly send requests to these endpoints over the network. The absence of an identity control mechanism means that every network request is accepted and processed the same way as a request from an authorized user.
Attackers can perform language model management operations without authentication, including potentially downloading, modifying, or deleting models, leading to violations of system confidentiality, integrity, and availability (full CVSS C:H/I:H/A:H).
Ollama should be updated to a version higher than v0.12.3. Until the update is deployed, it is recommended to restrict access to the Ollama API at the network level (firewall, access rules) to trusted hosts only, and to avoid publicly exposing API endpoints on the Internet. Details are available in the vendor references.
Ollama in versions up to and including v0.12.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOllama
APPOllama≤ 0.12.3
Related vulnerabilities
Unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine allows an at...
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/creat...
Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. U...
Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper hand...
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, fu...