CVE-2026-5530: Ollama: SSRF in Model Pull API enables network pivot

MEDIUM
Published April 5, 2026
CISO Take

Ollama's Model Pull API (download.go) fails to validate user-supplied URLs before making server-side HTTP requests, allowing any low-privilege authenticated user to force the inference server to fetch arbitrary internal or external resources (CWE-918). The practical blast radius is significant: Ollama is widely deployed in enterprise AI stacks, often without strong network perimeter controls, and cloud-hosted instances are trivially vulnerable to cloud provider metadata credential theft (AWS IMDSv1, GCP, Azure IMDS). Despite a raw EPSS of 0.032%, this sits in the 91st percentile of all CVEs by exploitation likelihood, and with no user interaction required and low attack complexity, opportunistic abuse is realistic. Immediately block Ollama's outbound access to RFC-1918 and link-local (169.254.0.0/16) ranges at the host firewall, enforce authentication in front of the API, and monitor for a patched release above version 18.1.

Sources: NVD EPSS ATLAS

What is the risk?

CVSS 6.3 (Medium) materially understates practical risk in AI infrastructure contexts. Ollama is commonly deployed as an internal inference server in a trusted-network position, making SSRF particularly dangerous: cloud metadata endpoints, internal Kubernetes API servers, Consul/Vault instances, and adjacent microservices all become reachable via a single crafted model pull request. Attack complexity is low, privileges required are low, and no user interaction is needed — this requires zero AI/ML expertise to exploit. The 91st EPSS percentile indicates this class of SSRF is actively targeted across the ecosystem. Risk escalates sharply for any cloud-hosted Ollama instance not enforcing IMDSv2, or any deployment accessible beyond localhost.

How severe is it?

CVSS 3.1
6.3 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 22% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I Low
A Low

What should I do?

5 steps
  1. PATCH

    Upgrade Ollama beyond version 18.1 as soon as a patched release is available; subscribe to Ollama GitHub releases for notification.

  2. NETWORK CONTROLS (immediate workaround): Use host firewall rules or container network policies to block Ollama process outbound access to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback.

  3. AUTHENTICATION

    Do not expose the Ollama API directly to untrusted networks; place an authenticated reverse proxy in front of all Ollama endpoints.

  4. DETECTION

    Alert on HTTP requests originating from the Ollama process to internal IP ranges or metadata service IPs (169.254.169.254, fd00:ec2::254). Log all Model Pull API calls and inspect for non-registry source URLs.

  5. CLOUD HARDENING

    Enforce IMDSv2 (AWS) or equivalent token-gated metadata access on all cloud instances running Ollama to raise the SSRF exploitation bar from trivial to moderate.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.6.2 - AI System Security and Resilience
NIST AI RMF
MANAGE 2.2 - Risk Response and Treatment
OWASP LLM Top 10
LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-5530?

Ollama's Model Pull API (download.go) fails to validate user-supplied URLs before making server-side HTTP requests, allowing any low-privilege authenticated user to force the inference server to fetch arbitrary internal or external resources (CWE-918). The practical blast radius is significant: Ollama is widely deployed in enterprise AI stacks, often without strong network perimeter controls, and cloud-hosted instances are trivially vulnerable to cloud provider metadata credential theft (AWS IMDSv1, GCP, Azure IMDS). Despite a raw EPSS of 0.032%, this sits in the 91st percentile of all CVEs by exploitation likelihood, and with no user interaction required and low attack complexity, opportunistic abuse is realistic. Immediately block Ollama's outbound access to RFC-1918 and link-local (169.254.0.0/16) ranges at the host firewall, enforce authentication in front of the API, and monitor for a patched release above version 18.1.

Is CVE-2026-5530 actively exploited?

No confirmed active exploitation of CVE-2026-5530 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-5530?

1. PATCH: Upgrade Ollama beyond version 18.1 as soon as a patched release is available; subscribe to Ollama GitHub releases for notification. 2. NETWORK CONTROLS (immediate workaround): Use host firewall rules or container network policies to block Ollama process outbound access to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback. 3. AUTHENTICATION: Do not expose the Ollama API directly to untrusted networks; place an authenticated reverse proxy in front of all Ollama endpoints. 4. DETECTION: Alert on HTTP requests originating from the Ollama process to internal IP ranges or metadata service IPs (169.254.169.254, fd00:ec2::254). Log all Model Pull API calls and inspect for non-registry source URLs. 5. CLOUD HARDENING: Enforce IMDSv2 (AWS) or equivalent token-gated metadata access on all cloud instances running Ollama to raise the SSRF exploitation bar from trivial to moderate.

What systems are affected by CVE-2026-5530?

This vulnerability affects the following AI/ML architecture patterns: LLM inference serving, model serving, cloud-hosted AI deployments, enterprise AI infrastructure, RAG pipelines, agent frameworks.

What is the CVSS score for CVE-2026-5530?

CVE-2026-5530 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.30%.

What is the AI security impact?

Affected AI Architectures

LLM inference servingmodel servingcloud-hosted AI deploymentsenterprise AI infrastructureRAG pipelinesagent frameworks

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0025 Exfiltration via Cyber Means
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An attacker with low-privilege access to an Ollama API endpoint — or via a compromised application that proxies model pull calls — submits a crafted pull request pointing to http://169.254.169.254/latest/meta-data/iam/security-credentials/. Ollama's download.go fetches the URL server-side without destination validation, returning the AWS instance profile's temporary IAM credentials. The adversary uses these credentials to enumerate and exfiltrate S3 buckets containing training data or fine-tuned model weights, access Secrets Manager for downstream API keys, or pivot laterally into the internal VPC. The identical technique applies to internal Kubernetes API servers, Vault/Consul clusters, or any RFC-1918 service reachable from the Ollama host — enabling full internal reconnaissance with a single crafted API call.

Weaknesses (CWE)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Timeline

Published
April 5, 2026
Last Modified
July 7, 2026
First Seen
April 5, 2026

Related Vulnerabilities