cybersecurity researchers have disclosed a critical vulnerability in the Ollama artificial intelligence framework that could allow a remote attacker with no authentication to read the entire process memory of an affected server. The flaw, identified as CVE-2026-7482 and carrying a CVSS score of 9.1, is believed to impact over 300,000 servers globally. Researchers at Cyera, who discovered the issue, have codenamed it Bleeding Llama.
Ollama is an open source platform widely used to run large language models locally. The vulnerability is described as an out of bounds read flaw, a type of memory safety issue that occurs when software accesses memory outside the intended buffer.
Nature of the Vulnerability
The out of bounds read vulnerability resides in a core component of the Ollama server. By sending a specially crafted request to an exposed endpoint, a remote attacker can trigger the software to read memory regions beyond the allocated buffer. This action can leak sensitive data held in the server’s process memory, potentially including API keys, user credentials, model weights, and other confidential information.
Because the flaw requires no authentication or prior access to the system, it poses a significant risk to publicly exposed Ollama servers. The researchers noted that the sheer number of vulnerable instances, estimated at over 300,000 according to internet scanning data, amplifies the potential for widespread exploitation.
Impact and Risk
The Bleeding Llama vulnerability is particularly concerning for organizations that deploy Ollama without proper network segmentation or firewall restrictions. A successful attack could expose the entire memory space of the Ollama process, giving attackers a detailed snapshot of the application’s runtime state. This data could then be used for further compromise of the host system or exfiltration of proprietary AI models.
Cyera has not released a public proof of concept exploit, but the technical details of the flaw are expected to be presented at an upcoming security conference. The CVSS score of 9.1 places this vulnerability in the critical severity category, reflecting both the ease of exploitation and the high potential for data loss.
Affected Versions
According to the advisory, all versions of Ollama prior to a specific patched release are affected. Users are strongly advised to update to the latest version of the software as soon as possible. Organizations should also review their network configurations to ensure that Ollama servers are not directly accessible from the internet unless absolutely necessary.
The researchers emphasized that simply blocking external access may not be sufficient, as the vulnerability could also be exploited from within a local network. Proper network segmentation and the principle of least privilege should be applied to limit exposure.
Response and Mitigation
The Ollama development team has been notified of the vulnerability and has released a security update addressing the out of bounds read issue. Server administrators are urged to apply the patch immediately. Cyera has provided specific mitigation steps for users who cannot update immediately, including restricting access to the Ollama API via firewall rules and disabling unused features.
The vulnerability highlights ongoing challenges in securing rapidly evolving AI infrastructure. As large language models become more integrated into enterprise operations, the security of the platforms running them becomes a critical concern. This incident serves as a reminder that memory safety flaws remain a persistent risk even in modern software stacks.
Looking ahead, the security community will be closely monitoring for any active exploitation attempts. Users are advised to review their logs for signs of unusual API requests or abnormal memory usage. Cybersecurity firms are expected to release additional detection rules and scanning tools to help identify vulnerable installations in the coming days.
Source: Cyera Research
