Integrity and Authenticity Verification Flaw in Ollama for Windows
CVE-2026-42248

7.7HIGH

Key Information:

Vendor: Ollama
Status: Ollama
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-42248?

Ollama for Windows lacks proper integrity and authenticity checks for update executables, resulting in a significant vulnerability. Unlike other platforms, the Windows version of Ollama blindly accepts any update as valid, allowing an attacker to supply malicious executables that can be executed by the application. This is particularly concerning as the application performs silent automatic updates, meaning users are unaware when potentially harmful software is installed. Versions tested between 0.12.10 and 0.17.5 are confirmed vulnerable, although other untested versions may also be at risk. Despite early notification to maintainers, no updates or clarifications were provided regarding the vulnerable versions.

Affected Version(s)

Ollama Windows 0.12.10 <= 0.17.5

References

https://cert.pl/en/posts/2026/04/CVE-2026-42248/

third-party-advisory

https://ollama.com/

product

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 25, 2026

Credit

Bartłomiej Dmitruk (striga.ai)

CVE-2026-42248 Data

JSON