Researchers at Striga have unveiled two critical vulnerabilities (CVE-2026-42248, CVE-2026-42249) within Ollama’s Windows auto-updater. When exploited in tandem, these vulnerabilities could enable an attacker to stealthily install a persistent executable that activates with each user login.
CVE-2026-42248 and CVE-2026-42249
Ollama serves as an open-source platform for running large language models locally, appealing to users who prefer to keep their data on their devices, free from API constraints, usage limits, or the need for an internet connection. The Windows desktop client integrates the local Ollama server, a chat interface, and a system-tray icon, automatically starting upon login and checking for updates in the background. Striga co-founder Bartłomiej Dmitruk elaborated that the vulnerability chain was identified during a thorough audit of the Ollama repository.
The first vulnerability, CVE-2026-42248, presents a straightforward issue: while the Windows build’s auto-updater includes a signature verification function, it fails to execute its intended purpose, resulting in any downloaded content being executed without scrutiny. In contrast, the macOS version of Ollama performs adequate code-signing checks, as noted by the researchers.
The second vulnerability, CVE-2026-42249, is characterized as a path traversal flaw. This arises because the Windows updater constructs the local path for a staged installer directly from HTTP response headers without proper sanitization. An attacker controlling the update response can inject a malicious ETag header containing ../ sequences, allowing them to write an arbitrary executable directly into the user’s Windows Startup folder. Dmitruk emphasized that since the signature check indicates “no error,” the usual cleanup process that would eliminate unsigned files does not occur, enabling the malicious payload to persist indefinitely. Consequently, the dropped executable runs on every subsequent login without any warning, as it lacks a Mark-of-the-Web tag.
Attack prerequisites
To successfully exploit these vulnerabilities, an attacker must gain control over the update response received by Ollama. Dmitruk outlined three potential avenues for this: compromising the update infrastructure directly; redirecting the client to an attacker-controlled server through a local foothold (such as modifying the OLLAMAUPDATEURL variable, editing the hosts file, or using a rogue root certificate); or executing a network-level interception via TLS man-in-the-middle (MITM) or DNS hijacking with a forged certificate.
Additional requirements for the attack include having the Auto-update option enabled (which is the default setting) and ensuring Ollama is located in the Startup folder (also the default). “For the secondary path (CVE-2026-42248 alone, without traversal), Ollama must be launched from the Startup-folder shortcut for DoUpgradeAtStartup to trigger. However, the primary chain does not necessitate this; Windows will execute the dropped file from the user’s Startup folder regardless of how Ollama is initiated,” he explained.
Striga researchers reported their findings to Ollama’s designated security address in late January 2026, but received no response. A follow-up through a maintainer’s personal email yielded only a brief acknowledgment before communication ceased. “We have yet to see any public statement from the maintainers regarding either CVE,” Dmitruk remarked. After five weeks of no engagement, CERT Polska assumed responsibility for coordinating the disclosure, assigning the CVEs, and issuing a warning on April 29, confirming that Ollama for Windows versions 0.12.10 through 0.17.5 are vulnerable.
What should users do?
“CERT Polska tested version 0.15.1 end-to-end with our proof of concept and confirmed it as vulnerable, exercising caution regarding untested releases,” Dmitruk stated. “We extended our verification by conducting static checks across every release tag for the four chain indicators – (filepath.Join(UpdateStageDir, etag, …), verifyDownload(){ return nil }, OLLAMAUPDATEURL override, STARTF_TITLEISLINKNAME detection) – and confirmed all four were present from version 0.12.10 (when the rewritten desktop-app code was merged) through version 0.22.0, with no commits in that range addressing the vulnerable functions.”
Despite the recent release of Ollama version 0.23.0, which also lacks a patch, Dmitruk advised users to disable the Auto-download updates option in Ollama’s settings. “Turning it off prevents the background download check from occurring before any update response is retrieved, effectively stopping the path traversal write and ensuring nothing is saved to disk. For thoroughness, users should also remove any existing Ollama shortcut from %APPDATA%MicrosoftWindowsStart MenuProgramsStartup to eliminate the silent execution route upon login.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!
