cbcvebase.
CVE-2026-42249
published 2026-04-29

CVE-2026-42249: Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.63%
45.4th percentile
Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory. An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker‑chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables. Critically, when chained with CVE‑2026‑42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness. Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Affected

1 ranges
VendorProductVersion rangeFixed in
ollamaollama0.12.10 – 0.17.5

Detection & IOCsextracted from sources · hover to see the quote

path%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
url/api/update
ip127.0.0.1:11434
  • Monitor for new executable files written to the Windows Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) by the Ollama process, which may indicate successful path traversal exploitation.
  • Detect path traversal sequences (../) in HTTP response headers consumed by the Ollama updater; the application passes header-derived values directly to filepath.Join without sanitization.
  • Alert on the OLLAMA_UPDATE_URL environment variable being set to a non-default or plain HTTP value, which an attacker would use to redirect the client to a malicious update server.
  • Monitor Ollama process spawning child processes or writing binaries outside its expected staging directory, particularly into user Startup folders, as an indicator of exploitation.
  • Flag Ollama Windows installations running versions 0.12.10 through 0.17.5 (confirmed vulnerable) or up to 0.22.0 (per researcher statement) for prioritized patching and monitoring.
  • ·The attack chain requires AutoUpdateEnabled to be on, which is the default setting; disabling automatic updates mitigates exploitation.
  • ·Without chaining with CVE-2026-42248 (missing signature verification), path traversal-based persistence is not achieved; the missing signature check alone can also lead to code execution without path traversal.
  • ·Without the path traversal (CVE-2026-42249), RCE via CVE-2026-42248 alone is not persistent because the next legitimate update overwrites the staged file.
  • ·The attacker must be able to control or intercept the update server reachable by the victim's Ollama client for exploitation to succeed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.