Every Ollama Windows installation running auto-update is a persistent remote code execution vector right now. Bartłomiej Dmitruk at Striga found that out in January 2026. Ollama’s maintainers found out too, but they’ve gone dark.

Striga’s researchers surfaced CVE-2026-42248 and CVE-2026-42249 during a repository audit. Chained together, the flaws turn Ollama’s Windows auto-updater into a backdoor delivery mechanism. CVE-2026-42248 is brutal in its simplicity: the signature verification function exists, gets called, and returns no error — it just does nothing. CVE-2026-42249 is a path traversal bug. Ollama’s updater builds the local install path directly from HTTP response headers without sanitizing them. An attacker who controls the update response can slip a malicious ETag header with ../ sequences and write an arbitrary executable straight into the Windows Startup folder.

Because the signature check never raises an error, the cleanup that would normally remove an unsigned file never runs. The payload sits there indefinitely. Windows executes it on every login without a warning, and the dropped file carries no Mark-of-the-Web tag.

Striga reported to Ollama’s documented security address in late January 2026, and got no reply. A maintainer’s personal email got one acknowledgement, then silence. After five weeks, CERT Polska stepped in, assigned the CVEs, and published a warning on April 29 confirming versions 0.12.10 through 0.17.5 vulnerable. Striga’s static analysis extended that window to v0.22.0. The latest release, v0.23.0, shipped two days ago. Still no patch.

Both attack prerequisites, auto-update on and Ollama in the Startup folder, are defaults.

If you’re running Ollama on Windows, disable auto-download updates in settings now, and remove any Ollama shortcut from %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup until a fix ships.

— Nathan Zakhary