Critical Ollama Bug CVE-2026-7482 Exposes 300K Deployments
Cyera discloses CVE-2026-7482 (CVSS 9.3) — a heap out-of-bounds read in Ollama's GGUF model loader that leaks prompts, API keys, and secrets via three unauthenticated API calls.
Executive Summary
Cyera researchers have disclosed a critical heap out-of-bounds read vulnerability in Ollama, the popular open-source platform for running large language models locally. Tracked as CVE-2026-7482 and assigned a CVSS score of 9.3, the bug — dubbed Bleeding Llama — allows an unauthenticated remote attacker to exfiltrate sensitive data from roughly 300,000 internet-exposed Ollama deployments, including prompts, messages, API keys, tokens, and environment variables. The vulnerability resides in the GGUF model loader and can be exploited with only three unauthenticated API calls. Ollama patched the issue in version 0.17.1.
Technical Analysis
According to Cyera's disclosure, the vulnerability lies in Ollama's handling of GGUF model files. The GGUF model loader accepts an attacker-supplied file containing a declared tensor offset and size that exceeds the file's actual length. When Ollama processes this malformed file, the sensor reads past the allocated heap buffer — a classic heap out-of-bounds read — accessing memory regions that may contain sensitive information.
Cyera explains that the attacker then leverages Ollama's built-in model push feature to exfiltrate the resulting file, now containing stolen heap data, to an attacker-controlled server. The entire attack chain requires only three unauthenticated API calls, making it trivially exploitable at scale.
A critical factor amplifying the risk: Ollama launches by default without authentication and listens on all network interfaces. Cyera estimates approximately 300,000 Ollama servers are currently exposed on the public internet, meaning any internet-accessible instance is immediately vulnerable without credentials. The data at risk includes employee interactions with LLMs, development code, routed tool outputs, and prompts containing personally identifiable information (PII), protected health information (PHI), and other secrets.
Mitigations & Recommendations
Organizations should immediately upgrade Ollama to version 0.17.1, which contains the fix for CVE-2026-7482. Beyond patching, Cyera recommends deploying an authentication proxy in front of any Ollama instance and implementing network segmentation to restrict access to trusted subnets only. Administrators should audit all running Ollama deployments for internet exposure. Cyera advises treating any instance that was accessible from the internet — along with all environment variables and data that passed through it — as potentially compromised.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
