CVE-2026-42249: Ollama path traversal + unsigned

CISO Take

Ollama for Windows versions 0.12.10–0.17.5 contains a path traversal flaw (CWE-22) in its update mechanism that, when chained with CVE-2026-42248 (missing update signature verification, CWE-494), allows an attacker with network interception capability to write arbitrary executables to any user-accessible Windows path — including the Startup directory — without triggering any user prompt. Because Ollama performs silent automatic updates and executes staged binaries without user interaction, successful exploitation achieves persistent, stealthy code execution on developer or inference workstations. Though no public exploit exists, this vulnerability ranks in the top 87th EPSS percentile, and the attack chain is mechanically straightforward for any adversary with MITM access to update traffic. If your team runs Ollama on Windows endpoints, disable automatic updates immediately and block outbound update traffic at the firewall until a patched version is confirmed.

Sources: NVD EPSS ATLAS cert.pl

What is the risk?

The vulnerability chain represents a high-risk condition for Windows-based Ollama deployments. The path traversal alone (CWE-22) rates high impact due to arbitrary file write capability; combined with unsigned update delivery (CWE-494), it becomes a no-interaction RCE with automatic persistence. Exploitation requires a network-level MITM position — achievable via rogue DNS, compromised Wi-Fi, or update server compromise — placing sophistication at moderate but well within reach of motivated attackers targeting AI development environments. The absence of a public exploit and KEV listing moderates immediate urgency, but the SSVC TRACK status and 87th EPSS percentile indicate meaningful exploitation likelihood that warrants near-term remediation across all Windows Ollama deployments.

How does the attack unfold?

Network Interception

Attacker achieves MITM position via rogue DNS, ARP spoofing, or compromised update infrastructure to intercept Ollama's outbound HTTP update polling requests.

AML.T0010.001

Path Traversal Injection

Attacker crafts malicious HTTP response headers containing path traversal sequences (e.g., ../../Startup/payload.exe) that Ollama passes unsanitized to filepath.Join, resolving to an attacker-chosen write location.

AML.T0049

Unsigned Payload Staging

Ollama writes the attacker-controlled binary to the Windows Startup directory without verifying any cryptographic signature, exploiting the missing integrity check of CVE-2026-42248.

AML.T0079

Persistent Code Execution

On next Windows login, the malicious binary executes automatically with the user's privileges, establishing persistent access to the AI developer's machine including local model weights, API credentials, and connected AI infrastructure.

AML.T0112

Network Interception

Attacker achieves MITM position via rogue DNS, ARP spoofing, or compromised update infrastructure to intercept Ollama's outbound HTTP update polling requests.

AML.T0010.001

Path Traversal Injection

Attacker crafts malicious HTTP response headers containing path traversal sequences (e.g., ../../Startup/payload.exe) that Ollama passes unsanitized to filepath.Join, resolving to an attacker-chosen write location.

AML.T0049

Unsigned Payload Staging

Ollama writes the attacker-controlled binary to the Windows Startup directory without verifying any cryptographic signature, exploiting the missing integrity check of CVE-2026-42248.

AML.T0079

Persistent Code Execution

On next Windows login, the malicious binary executes automatically with the user's privileges, establishing persistent access to the AI developer's machine including local model weights, API credentials, and connected AI infrastructure.

AML.T0112

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Ollama	pip	—	No patch
173.4K 1.5K dependents Pushed 6d ago 12% patched ~0d to patch Full package profile →

Do you use Ollama? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 50% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

1 step

1) Upgrade Ollama to a version beyond 0.17.5 once a patched release is confirmed by maintainers — check the official release page and cert.pl advisory for patch status. 2) If no patch is available, disable Ollama's automatic update feature in its configuration immediately. 3) Block outbound network access from Ollama processes to update endpoints at the firewall or endpoint proxy level. 4) Audit Windows Startup directories (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) on all Ollama-running systems for unexpected executables. 5) Deploy EDR rules to alert on Ollama writing executables outside its expected installation directory (e.g., Program Files). 6) For enterprise deployments, route Ollama update traffic through an internally managed, signature-verified mirror. 7) Monitor Ollama processes for unexpected child process spawning.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Inference AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0079 - Stage Capabilities AML.T0112 - Machine Compromise

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI system security

NIST AI RMF

MANAGE 2.2 - Strategies to address AI risks

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-42249?

Ollama for Windows versions 0.12.10–0.17.5 contains a path traversal flaw (CWE-22) in its update mechanism that, when chained with CVE-2026-42248 (missing update signature verification, CWE-494), allows an attacker with network interception capability to write arbitrary executables to any user-accessible Windows path — including the Startup directory — without triggering any user prompt. Because Ollama performs silent automatic updates and executes staged binaries without user interaction, successful exploitation achieves persistent, stealthy code execution on developer or inference workstations. Though no public exploit exists, this vulnerability ranks in the top 87th EPSS percentile, and the attack chain is mechanically straightforward for any adversary with MITM access to update traffic. If your team runs Ollama on Windows endpoints, disable automatic updates immediately and block outbound update traffic at the firewall until a patched version is confirmed.

Is CVE-2026-42249 actively exploited?

No confirmed active exploitation of CVE-2026-42249 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42249?

1) Upgrade Ollama to a version beyond 0.17.5 once a patched release is confirmed by maintainers — check the official release page and cert.pl advisory for patch status. 2) If no patch is available, disable Ollama's automatic update feature in its configuration immediately. 3) Block outbound network access from Ollama processes to update endpoints at the firewall or endpoint proxy level. 4) Audit Windows Startup directories (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) on all Ollama-running systems for unexpected executables. 5) Deploy EDR rules to alert on Ollama writing executables outside its expected installation directory (e.g., Program Files). 6) For enterprise deployments, route Ollama update traffic through an internally managed, signature-verified mirror. 7) Monitor Ollama processes for unexpected child process spawning.

What systems are affected by CVE-2026-42249?

This vulnerability affects the following AI/ML architecture patterns: local LLM inference, AI development environments, model serving.

What is the CVSS score for CVE-2026-42249?

CVE-2026-42249 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.27%.

What is the AI security impact?

Affected AI Architectures

local LLM inferenceAI development environmentsmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0079 Stage Capabilities

AML.T0112 Machine Compromise

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory. An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables. Critically, when chained with CVE‑2026‑42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Exploitation Scenario

An attacker targets an AI development team's Windows workstations by poisoning DNS responses or performing ARP spoofing on the corporate network to intercept Ollama's HTTP update polling traffic. When Ollama checks for updates, the attacker's server responds with HTTP headers containing a filename value embedding path traversal sequences such as '../../AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/agent.exe'. Because Ollama constructs the local write path via filepath.Join without sanitizing traversal sequences, it writes the attacker-supplied binary directly to the user's Startup folder. Since CVE-2026-42248 means no cryptographic signature is checked, any payload is accepted. On the next Windows login, the binary executes silently with user privileges — establishing persistent access to a machine containing local LLM weights, provider API credentials, and access to internal AI infrastructure.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-494 Download of Code Without Integrity Check Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.