CVE-2026-5530 — MEDIUM (CVSS 6.3)

CISO Take

Ollama's Model Pull API (download.go) fails to validate user-supplied URLs before making server-side HTTP requests, allowing any low-privilege authenticated user to force the inference server to fetch arbitrary internal or external resources (CWE-918). The practical blast radius is significant: Ollama is widely deployed in enterprise AI stacks, often without strong network perimeter controls, and cloud-hosted instances are trivially vulnerable to cloud provider metadata credential theft (AWS IMDSv1, GCP, Azure IMDS). Despite a raw EPSS of 0.032%, this sits in the 91st percentile of all CVEs by exploitation likelihood, and with no user interaction required and low attack complexity, opportunistic abuse is realistic. Immediately block Ollama's outbound access to RFC-1918 and link-local (169.254.0.0/16) ranges at the host firewall, enforce authentication in front of the API, and monitor for a patched release above version 18.1.

Sources: NVD EPSS ATLAS

What is the risk?

CVSS 6.3 (Medium) materially understates practical risk in AI infrastructure contexts. Ollama is commonly deployed as an internal inference server in a trusted-network position, making SSRF particularly dangerous: cloud metadata endpoints, internal Kubernetes API servers, Consul/Vault instances, and adjacent microservices all become reachable via a single crafted model pull request. Attack complexity is low, privileges required are low, and no user interaction is needed — this requires zero AI/ML expertise to exploit. The 91st EPSS percentile indicates this class of SSRF is actively targeted across the ecosystem. Risk escalates sharply for any cloud-hosted Ollama instance not enforcing IMDSv2, or any deployment accessible beyond localhost.

Severity & Risk

CVSS 3.1

6.3 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 3% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

5 steps

PATCH

Upgrade Ollama beyond version 18.1 as soon as a patched release is available; subscribe to Ollama GitHub releases for notification.
NETWORK CONTROLS (immediate workaround): Use host firewall rules or container network policies to block Ollama process outbound access to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback.
AUTHENTICATION

Do not expose the Ollama API directly to untrusted networks; place an authenticated reverse proxy in front of all Ollama endpoints.
DETECTION

Alert on HTTP requests originating from the Ollama process to internal IP ranges or metadata service IPs (169.254.169.254, fd00:ec2::254). Log all Model Pull API calls and inspect for non-registry source URLs.
CLOUD HARDENING

Enforce IMDSv2 (AWS) or equivalent token-gated metadata access on all cloud instances running Ollama to raise the SSRF exploitation bar from trivial to moderate.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Privacy Violation Inference API AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2 - AI System Security and Resilience

NIST AI RMF

MANAGE 2.2 - Risk Response and Treatment

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-5530?

Ollama's Model Pull API (download.go) fails to validate user-supplied URLs before making server-side HTTP requests, allowing any low-privilege authenticated user to force the inference server to fetch arbitrary internal or external resources (CWE-918). The practical blast radius is significant: Ollama is widely deployed in enterprise AI stacks, often without strong network perimeter controls, and cloud-hosted instances are trivially vulnerable to cloud provider metadata credential theft (AWS IMDSv1, GCP, Azure IMDS). Despite a raw EPSS of 0.032%, this sits in the 91st percentile of all CVEs by exploitation likelihood, and with no user interaction required and low attack complexity, opportunistic abuse is realistic. Immediately block Ollama's outbound access to RFC-1918 and link-local (169.254.0.0/16) ranges at the host firewall, enforce authentication in front of the API, and monitor for a patched release above version 18.1.

Is CVE-2026-5530 actively exploited?

No confirmed active exploitation of CVE-2026-5530 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-5530?

1. PATCH: Upgrade Ollama beyond version 18.1 as soon as a patched release is available; subscribe to Ollama GitHub releases for notification. 2. NETWORK CONTROLS (immediate workaround): Use host firewall rules or container network policies to block Ollama process outbound access to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback. 3. AUTHENTICATION: Do not expose the Ollama API directly to untrusted networks; place an authenticated reverse proxy in front of all Ollama endpoints. 4. DETECTION: Alert on HTTP requests originating from the Ollama process to internal IP ranges or metadata service IPs (169.254.169.254, fd00:ec2::254). Log all Model Pull API calls and inspect for non-registry source URLs. 5. CLOUD HARDENING: Enforce IMDSv2 (AWS) or equivalent token-gated metadata access on all cloud instances running Ollama to raise the SSRF exploitation bar from trivial to moderate.

What systems are affected by CVE-2026-5530?

This vulnerability affects the following AI/ML architecture patterns: LLM inference serving, model serving, cloud-hosted AI deployments, enterprise AI infrastructure, RAG pipelines, agent frameworks.

What is the CVSS score for CVE-2026-5530?

CVE-2026-5530 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An attacker with low-privilege access to an Ollama API endpoint — or via a compromised application that proxies model pull calls — submits a crafted pull request pointing to http://169.254.169.254/latest/meta-data/iam/security-credentials/. Ollama's download.go fetches the URL server-side without destination validation, returning the AWS instance profile's temporary IAM credentials. The adversary uses these credentials to enumerate and exfiltrate S3 buckets containing training data or fine-tuned model weights, access Secrets Manager for downstream API keys, or pivot laterally into the internal VPC. The identical technique applies to internal Kubernetes API servers, Vault/Consul clusters, or any RFC-1918 service reachable from the Ollama host — enabling full internal reconnaissance with a single crafted API call.