CVE-2024-39722 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any unauthenticated attacker with network access to an Ollama instance can enumerate files on the host server via a crafted api/push request — no credentials or user interaction required. If Ollama is internet-facing or accessible from untrusted networks, treat this as an active risk: patch to 0.1.46+ immediately and audit firewall rules. The file disclosure can accelerate lateral movement by revealing config paths, credential files, and model locations.

Risk Assessment

HIGH. The CVSS 7.5 score reflects the reality: zero authentication, zero complexity, full network reach. The primary risk amplifier is deployment posture — Ollama instances exposed beyond localhost (cloud VMs with open ports, developer machines on shared networks) are directly exploitable. File existence probing alone can map sensitive paths (.env, API keys, SSH configs) to support follow-on attacks. EPSS data unavailable but exploitation tooling is trivial to build from the public Oligo advisory.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ollama	pip	—	No patch
170.6K 1.4K dependents Pushed 6d ago 4% patched ~0d to patch Full package profile →

Do you use ollama? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

62.2%

chance of exploitation in 30 days

Higher than 98% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 62%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

PATCH

Upgrade Ollama to 0.1.46 or later — this is the only definitive fix.
NETWORK

Restrict Ollama API port (default 11434) to localhost or trusted internal subnets via firewall rules. Ollama should never be internet-facing without a reverse proxy with authentication.
DETECT

Review access logs for api/push requests containing path traversal sequences (../, %2e%2e%2f, encoded variants). Alert on unexpected file paths in push payloads.
HARDEN

Run Ollama under a dedicated low-privilege user account with a restricted filesystem view (chroot or container with minimal bind mounts).
AUDIT

If Ollama was exposed, assume server file paths have been enumerated — rotate any secrets stored in discoverable locations.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Inference API AML.T0006 - Active Scanning AML.T0007 - Discover AI Artifacts AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.2 - AI system security controls — operational security

NIST AI RMF

MANAGE-2.2 - Mechanisms to detect and respond to AI risks

OWASP LLM Top 10

LLM06:2025 - Excessive Agency / Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-39722?

Any unauthenticated attacker with network access to an Ollama instance can enumerate files on the host server via a crafted api/push request — no credentials or user interaction required. If Ollama is internet-facing or accessible from untrusted networks, treat this as an active risk: patch to 0.1.46+ immediately and audit firewall rules. The file disclosure can accelerate lateral movement by revealing config paths, credential files, and model locations.

Is CVE-2024-39722 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-39722, increasing the risk of exploitation.

How to fix CVE-2024-39722?

1. PATCH: Upgrade Ollama to 0.1.46 or later — this is the only definitive fix. 2. NETWORK: Restrict Ollama API port (default 11434) to localhost or trusted internal subnets via firewall rules. Ollama should never be internet-facing without a reverse proxy with authentication. 3. DETECT: Review access logs for api/push requests containing path traversal sequences (../, %2e%2e%2f, encoded variants). Alert on unexpected file paths in push payloads. 4. HARDEN: Run Ollama under a dedicated low-privilege user account with a restricted filesystem view (chroot or container with minimal bind mounts). 5. AUDIT: If Ollama was exposed, assume server file paths have been enumerated — rotate any secrets stored in discoverable locations.

What systems are affected by CVE-2024-39722?

This vulnerability affects the following AI/ML architecture patterns: LLM inference serving, model serving, agent frameworks, local AI development environments.

What is the CVSS score for CVE-2024-39722?

CVE-2024-39722 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 62.17%.

Technical Details

NVD Description

An issue was discovered in Ollama before 0.1.46. It exposes which files exist on the server on which it is deployed via path traversal in the api/push route.

Exploitation Scenario

An adversary scanning for exposed AI inference endpoints identifies an Ollama instance on port 11434. Using the public Oligo research as a guide, they send crafted POST requests to /api/push with path traversal sequences in model name or file reference fields. By iterating common paths (/etc/passwd, /home/user/.env, /root/.aws/credentials, /app/config.yaml), they confirm which sensitive files exist on the host. This reconnaissance map is used to craft targeted exploitation — for example, if an .env file is confirmed present, they pivot to a second vulnerability or misconfiguration to read it. In AI environments where Ollama co-exists with LangChain apps or vector databases, the disclosed paths can reveal the full stack architecture for a chained attack.