CVE-2026-42249 (GCVE-0-2026-42249)

Vulnerability from cvelistv5 – Published: 2026-04-29 11:44 – Updated: 2026-04-29 13:20 X_Open Source
VLAI?
Title
Remote Code Execution in Ollama via Update Mechanism
Summary
Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory. An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables. Critically, when chained with CVE‑2026‑42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Severity ?
7.7 (High)
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
CWE
  • CWE-494 - Download of Code Without Integrity Check
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
Vendor Product Version
Ollama Ollama Affected: 0.12.10 , ≤ 0.17.5 (semver)
Create a notification for this product.
Credits
Bartłomiej Dmitruk (striga.ai)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42249",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T13:20:16.814725Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T13:20:29.799Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "platforms": [
            "Windows"
          ],
          "product": "Ollama",
          "repo": "https://github.com/ollama/ollama",
          "vendor": "Ollama",
          "versions": [
            {
              "lessThanOrEqual": "0.17.5",
              "status": "affected",
              "version": "0.12.10",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bart\u0142omiej Dmitruk (striga.ai)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Ollama for Windows\u0026nbsp;contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker\u2011controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to \u003ci\u003efilepath.Join\u003c/i\u003e, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.\u003cbr\u003eAn attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker\u2011chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.\u003cbr\u003e\u003cbr\u003eCritically, when chained with CVE\u20112026\u201142248 (Missing Signature Verification for Updates),\u0026nbsp;an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.\u003cbr\u003e\u003cbr\u003eMaintainers of this project were notified early about this vulnerability, but didn\u0027t respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.\u003cbr\u003e"
            }
          ],
          "value": "Ollama for Windows\u00a0contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker\u2011controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.\nAn attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker\u2011chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.\n\nCritically, when chained with CVE\u20112026\u201142248 (Missing Signature Verification for Updates),\u00a0an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.\n\nMaintainers of this project were notified early about this vulnerability, but didn\u0027t respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-186",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-186 Malicious Software Update"
            }
          ]
        },
        {
          "capecId": "CAPEC-139",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-139 Relative Path Traversal"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "ADJACENT",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-494",
              "description": "CWE-494: Download of Code Without Integrity Check",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T11:44:39.807Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/04/CVE-2026-42248/"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://ollama.com/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Remote Code Execution in Ollama via Update Mechanism",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2026-42249",
    "datePublished": "2026-04-29T11:44:39.807Z",
    "dateReserved": "2026-04-25T11:31:56.229Z",
    "dateUpdated": "2026-04-29T13:20:29.799Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42249",
      "date": "2026-05-01",
      "epss": "0.00034",
      "percentile": "0.09819"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42249\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2026-04-29T12:16:19.113\",\"lastModified\":\"2026-04-30T15:48:26.580\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Ollama for Windows\u00a0contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker\u2011controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.\\nAn attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker\u2011chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.\\n\\nCritically, when chained with CVE\u20112026\u201142248 (Missing Signature Verification for Updates),\u00a0an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.\\n\\nMaintainers of this project were notified early about this vulnerability, but didn\u0027t respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-494\"}]}],\"references\":[{\"url\":\"https://cert.pl/en/posts/2026/04/CVE-2026-42248/\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://ollama.com/\",\"source\":\"cvd@cert.pl\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42249\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-29T13:20:16.814725Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-29T13:20:23.094Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"Remote Code Execution in Ollama via Update Mechanism\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Bart\\u0142omiej Dmitruk (striga.ai)\"}], \"impacts\": [{\"capecId\": \"CAPEC-186\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-186 Malicious Software Update\"}]}, {\"capecId\": \"CAPEC-139\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-139 Relative Path Traversal\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/ollama/ollama\", \"vendor\": \"Ollama\", \"product\": \"Ollama\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.12.10\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"0.17.5\"}], \"platforms\": [\"Windows\"], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://cert.pl/en/posts/2026/04/CVE-2026-42248/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://ollama.com/\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Ollama for Windows\\u00a0contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker\\u2011controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.\\nAn attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker\\u2011chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.\\n\\nCritically, when chained with CVE\\u20112026\\u201142248 (Missing Signature Verification for Updates),\\u00a0an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.\\n\\nMaintainers of this project were notified early about this vulnerability, but didn\u0027t respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Ollama for Windows\u0026nbsp;contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker\\u2011controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to \u003ci\u003efilepath.Join\u003c/i\u003e, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.\u003cbr\u003eAn attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker\\u2011chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.\u003cbr\u003e\u003cbr\u003eCritically, when chained with CVE\\u20112026\\u201142248 (Missing Signature Verification for Updates),\u0026nbsp;an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.\u003cbr\u003e\u003cbr\u003eMaintainers of this project were notified early about this vulnerability, but didn\u0027t respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-494\", \"description\": \"CWE-494: Download of Code Without Integrity Check\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2026-04-29T11:44:39.807Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42249\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-29T13:20:29.799Z\", \"dateReserved\": \"2026-04-25T11:31:56.229Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2026-04-29T11:44:39.807Z\", \"assignerShortName\": \"CERT-PL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.