Striga co-founder Bartłomiej Dmitruk reported two chained vulnerabilities in Ollama’s Windows auto-updater to the project’s security address in late January 2026. It’s now May, v0.23.0 shipped two days ago, and there’s still no patch.
The vulnerability chain (CVE-2026-42248, CVE-2026-42249) lets an attacker who controls Ollama’s update response write an arbitrary executable into the user’s Windows Startup folder, where it runs silently on every login. CVE-2026-42248 is the uglier half: the signature verification function exists, gets called, and returns no error — it just does nothing. Unsigned code runs freely through the normal update flow. CVE-2026-42249 is a path traversal flaw where the updater builds local file paths from HTTP response headers without sanitizing them. A malicious ETag header with ../ sequences drops a payload straight into the Startup folder. Windows runs it on every subsequent login, with no Mark-of-the-Web warning.
Ollama’s popular with developers who run local LLMs to avoid cloud costs and data exposure. Auto-update is on by default, Ollama sits in the Startup folder by default, and most Windows installs don’t change either setting.
After five weeks of silence, CERT Polska stepped in, assigned the CVEs, and published a warning on April 29. Striga confirmed the flaw in every release from v0.12.10 through v0.22.0, with no commits touching the vulnerable functions. Nothing changed.
Until a patch ships, Dmitruk’s advice: disable Auto-download updates in settings and delete any existing Ollama shortcut from your Startup folder.
Nathan Zakhary