CVE-2026-5530: Ollama: SSRF in Model Pull API enables network pivot
MEDIUMOllama's Model Pull API (download.go) fails to validate user-supplied URLs before making server-side HTTP requests, allowing any low-privilege authenticated user to force the inference server to fetch arbitrary internal or external resources (CWE-918). The practical blast radius is significant: Ollama is widely deployed in enterprise AI stacks, often without strong network perimeter controls, and cloud-hosted instances are trivially vulnerable to cloud provider metadata credential theft (AWS IMDSv1, GCP, Azure IMDS). Despite a raw EPSS of 0.032%, this sits in the 91st percentile of all CVEs by exploitation likelihood, and with no user interaction required and low attack complexity, opportunistic abuse is realistic. Immediately block Ollama's outbound access to RFC-1918 and link-local (169.254.0.0/16) ranges at the host firewall, enforce authentication in front of the API, and monitor for a patched release above version 18.1.
What is the risk?
CVSS 6.3 (Medium) materially understates practical risk in AI infrastructure contexts. Ollama is commonly deployed as an internal inference server in a trusted-network position, making SSRF particularly dangerous: cloud metadata endpoints, internal Kubernetes API servers, Consul/Vault instances, and adjacent microservices all become reachable via a single crafted model pull request. Attack complexity is low, privileges required are low, and no user interaction is needed — this requires zero AI/ML expertise to exploit. The 91st EPSS percentile indicates this class of SSRF is actively targeted across the ecosystem. Risk escalates sharply for any cloud-hosted Ollama instance not enforcing IMDSv2, or any deployment accessible beyond localhost.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Upgrade Ollama beyond version 18.1 as soon as a patched release is available; subscribe to Ollama GitHub releases for notification.
-
NETWORK CONTROLS (immediate workaround): Use host firewall rules or container network policies to block Ollama process outbound access to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback.
-
AUTHENTICATION
Do not expose the Ollama API directly to untrusted networks; place an authenticated reverse proxy in front of all Ollama endpoints.
-
DETECTION
Alert on HTTP requests originating from the Ollama process to internal IP ranges or metadata service IPs (169.254.169.254, fd00:ec2::254). Log all Model Pull API calls and inspect for non-registry source URLs.
-
CLOUD HARDENING
Enforce IMDSv2 (AWS) or equivalent token-gated metadata access on all cloud instances running Ollama to raise the SSRF exploitation bar from trivial to moderate.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-5530?
Ollama's Model Pull API (download.go) fails to validate user-supplied URLs before making server-side HTTP requests, allowing any low-privilege authenticated user to force the inference server to fetch arbitrary internal or external resources (CWE-918). The practical blast radius is significant: Ollama is widely deployed in enterprise AI stacks, often without strong network perimeter controls, and cloud-hosted instances are trivially vulnerable to cloud provider metadata credential theft (AWS IMDSv1, GCP, Azure IMDS). Despite a raw EPSS of 0.032%, this sits in the 91st percentile of all CVEs by exploitation likelihood, and with no user interaction required and low attack complexity, opportunistic abuse is realistic. Immediately block Ollama's outbound access to RFC-1918 and link-local (169.254.0.0/16) ranges at the host firewall, enforce authentication in front of the API, and monitor for a patched release above version 18.1.
Is CVE-2026-5530 actively exploited?
No confirmed active exploitation of CVE-2026-5530 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-5530?
1. PATCH: Upgrade Ollama beyond version 18.1 as soon as a patched release is available; subscribe to Ollama GitHub releases for notification. 2. NETWORK CONTROLS (immediate workaround): Use host firewall rules or container network policies to block Ollama process outbound access to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback. 3. AUTHENTICATION: Do not expose the Ollama API directly to untrusted networks; place an authenticated reverse proxy in front of all Ollama endpoints. 4. DETECTION: Alert on HTTP requests originating from the Ollama process to internal IP ranges or metadata service IPs (169.254.169.254, fd00:ec2::254). Log all Model Pull API calls and inspect for non-registry source URLs. 5. CLOUD HARDENING: Enforce IMDSv2 (AWS) or equivalent token-gated metadata access on all cloud instances running Ollama to raise the SSRF exploitation bar from trivial to moderate.
What systems are affected by CVE-2026-5530?
This vulnerability affects the following AI/ML architecture patterns: LLM inference serving, model serving, cloud-hosted AI deployments, enterprise AI infrastructure, RAG pipelines, agent frameworks.
What is the CVSS score for CVE-2026-5530?
CVE-2026-5530 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.30%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0006 Active Scanning AML.T0025 Exfiltration via Cyber Means AML.T0040 AI Model Inference API Access AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Exploitation Scenario
An attacker with low-privilege access to an Ollama API endpoint — or via a compromised application that proxies model pull calls — submits a crafted pull request pointing to http://169.254.169.254/latest/meta-data/iam/security-credentials/. Ollama's download.go fetches the URL server-side without destination validation, returning the AWS instance profile's temporary IAM credentials. The adversary uses these credentials to enumerate and exfiltrate S3 buckets containing training data or fine-tuned model weights, access Secrets Manager for downstream API keys, or pivot laterally into the internal VPC. The identical technique applies to internal Kubernetes API servers, Vault/Consul clusters, or any RFC-1918 service reachable from the Ollama host — enabling full internal reconnaissance with a single crafted API call.
Weaknesses (CWE)
CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L References
- vuldb.com/submit/782107
- vuldb.com/vuln/355283
- vuldb.com/vuln/355283/cti
- vuldb.com/cve/CVE-2026-5530 third-party-advisory
Timeline
Related Vulnerabilities
CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Data Extraction CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Data Extraction CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Data Extraction CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Data Extraction CVE-2024-12909 10.0 llama-index finchat: SQL injection enables RCE
Same attack type: Data Extraction