AI Threat Alert AI Threat Alert

CVE-2026-7020

MEDIUM
Published April 26, 2026

A security flaw has been discovered in Ollama up to 0.20.2. This affects the function digestToPath of the file x/imagegen/transfer/transfer.go of the component Tensor Model Transfer Handler. The manipulation of the argument digest results in path traversal. The attack may be performed from remote....

Full CISO analysis pending enrichment.

Severity & Risk

CVSS 3.1
5.6 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Attack Surface

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C Low
I Low
A Low

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-7020?

A security flaw has been discovered in Ollama up to 0.20.2. This affects the function digestToPath of the file x/imagegen/transfer/transfer.go of the component Tensor Model Transfer Handler. The manipulation of the argument digest results in path traversal. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early abo

Is CVE-2026-7020 actively exploited?

No confirmed active exploitation of CVE-2026-7020 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-7020?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-7020?

CVE-2026-7020 has a CVSS v3.1 base score of 5.6 (MEDIUM).

Technical Details

NVD Description

A security flaw has been discovered in Ollama up to 0.20.2. This affects the function digestToPath of the file x/imagegen/transfer/transfer.go of the component Tensor Model Transfer Handler. The manipulation of the argument digest results in path traversal. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Weaknesses (CWE)

CWE-22 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References

Timeline

Published
April 26, 2026
Last Modified
April 26, 2026
First Seen
April 26, 2026
Back to Threat Feed