AI Threat Alert
CVE-2026-7020: Ollama: path traversal in tensor model transfer handler
LOW CISA: TRACK*A path traversal vulnerability (CWE-22) exists in Ollama's tensor model transfer handler, specifically in the digestToPath function of x/imagegen/transfer/transfer.go, allowing unauthenticated remote attackers to read or manipulate files outside intended directories by crafting a malicious digest argument. While rated medium severity (CVSS 5.6) with high attack complexity, Ollama sits in the top 82nd EPSS percentile and a public exploit has already been released — significantly compressing the window between disclosure and active exploitation. The vendor did not respond to the coordinated disclosure, leaving no official patch timeline and placing the remediation burden entirely on operators. Organizations running Ollama for local LLM or image generation inference should upgrade beyond version 0.20.2 immediately and, if patching is not possible, restrict the Ollama API to localhost or trusted network segments only.
What is the risk?
Medium risk with elevated practical urgency due to public exploit availability and the top-82nd-percentile EPSS score. The high attack complexity (AC:H) is the primary barrier to mass exploitation, but the absence of required authentication (PR:N, UI:N) and network-accessible attack vector make this attractive for targeted attacks against exposed Ollama deployments. The vendor's non-responsiveness to disclosure is a compounding supply chain governance concern — there is no patch commitment or advisory, meaning operators must act unilaterally. The SSVC decision of TRACK_STAR indicates security teams should actively monitor this one for escalation.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Ollama | pip | — | No patch |
Do you use Ollama? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Upgrade Ollama beyond version 0.20.2 as soon as a community or vendor patch is released; monitor the Ollama GitHub repository actively given the lack of vendor response.
-
Immediately restrict Ollama API binding to localhost (127.0.0.1) if external access is not required; apply firewall or network ACL rules to block external access to Ollama's default port (11434).
-
Audit all current Ollama deployments for unintended network exposure using internal port scanning or firewall rule review.
-
Monitor application and network logs for requests to tensor model transfer endpoints containing path traversal sequences in digest parameters (e.g., '../', '%2e%2e%2f', encoded variants).
-
Apply least-privilege to the Ollama process user to minimize the blast radius of a successful traversal — restrict read/write access to model directories only.
-
If Ollama is part of a larger AI inference pipeline, audit what secrets or credentials are accessible in directories the Ollama process can reach.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-7020?
A path traversal vulnerability (CWE-22) exists in Ollama's tensor model transfer handler, specifically in the digestToPath function of x/imagegen/transfer/transfer.go, allowing unauthenticated remote attackers to read or manipulate files outside intended directories by crafting a malicious digest argument. While rated medium severity (CVSS 5.6) with high attack complexity, Ollama sits in the top 82nd EPSS percentile and a public exploit has already been released — significantly compressing the window between disclosure and active exploitation. The vendor did not respond to the coordinated disclosure, leaving no official patch timeline and placing the remediation burden entirely on operators. Organizations running Ollama for local LLM or image generation inference should upgrade beyond version 0.20.2 immediately and, if patching is not possible, restrict the Ollama API to localhost or trusted network segments only.
Is CVE-2026-7020 actively exploited?
No confirmed active exploitation of CVE-2026-7020 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-7020?
1. Upgrade Ollama beyond version 0.20.2 as soon as a community or vendor patch is released; monitor the Ollama GitHub repository actively given the lack of vendor response. 2. Immediately restrict Ollama API binding to localhost (127.0.0.1) if external access is not required; apply firewall or network ACL rules to block external access to Ollama's default port (11434). 3. Audit all current Ollama deployments for unintended network exposure using internal port scanning or firewall rule review. 4. Monitor application and network logs for requests to tensor model transfer endpoints containing path traversal sequences in digest parameters (e.g., '../', '%2e%2e%2f', encoded variants). 5. Apply least-privilege to the Ollama process user to minimize the blast radius of a successful traversal — restrict read/write access to model directories only. 6. If Ollama is part of a larger AI inference pipeline, audit what secrets or credentials are accessible in directories the Ollama process can reach.
What systems are affected by CVE-2026-7020?
This vulnerability affects the following AI/ML architecture patterns: local LLM inference, model serving, image generation pipelines, AI development environments, shared GPU inference clusters.
What is the CVSS score for CVE-2026-7020?
CVE-2026-7020 has a CVSS v3.1 base score of 3.7 (LOW). The EPSS exploitation probability is 0.91%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0025 Exfiltration via Cyber Means AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
A security flaw has been discovered in Ollama up to 0.20.2. This affects the function digestToPath of the file x/imagegen/transfer/transfer.go of the component Tensor Model Transfer Handler. The manipulation of the argument digest results in path traversal. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Exploitation Scenario
An adversary identifies an Ollama instance with a network-accessible API — common in team GPU servers, cloud-deployed AI development environments, or containerized inference stacks exposed via misconfigured network policies. Using the publicly released exploit, they craft an HTTP request to the tensor model transfer endpoint, supplying a digest argument with path traversal sequences (e.g., ../../../../etc/passwd or ../../../../home/user/.env). Ollama's digestToPath function in x/imagegen/transfer/transfer.go fails to sanitize the digest input before resolving it to a filesystem path, allowing the attacker to reach files outside the intended model storage directory. The attacker reads sensitive configuration files, environment variables containing API keys, SSH credentials, or model pipeline secrets accessible to the Ollama process — potentially pivoting to broader infrastructure compromise or AI supply chain manipulation.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Timeline
Related Vulnerabilities
CVE-2026-46339 10.0 9router: unauthenticated RCE exposes LLM API keys
Same package: ollama CVE-2026-42248 9.8 Ollama: silent auto-update bypasses signature check on Windows
Same package: ollama CVE-2025-63389 9.8 ollama: Missing Auth allows unauthenticated access
Same package: ollama CVE-2026-42249 9.8 Ollama: path traversal + unsigned update = silent RCE
Same package: ollama CVE-2026-7482 9.1 Ollama: heap OOB read leaks API keys and chat data
Same package: ollama