Remote Code Execution Vulnerability in Ollama for Windows
CVE-2026-42249

7.7HIGH

Key Information:

Vendor: Ollama
Status: Ollama
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-42249?

Ollama for Windows features a vulnerability within its update mechanism, stemming from improper handling of HTTP response headers from an attacker. This flaw allows unvalidated values to be used for constructing local file paths, enabling path traversal and permitting arbitrary files to be written outside of the designated update staging directory. An attacker proficient in influencing update responses can exploit this issue to deploy malicious executables into user-accessible locations, including the Windows Startup directory, thus enabling automatic code execution without user intervention. When paired with another identified vulnerability, this flaw facilitates a seamless execution of harmful payloads that can manifest persistently and unnoticed in affected systems.

Affected Version(s)

Ollama Windows 0.12.10 <= 0.17.5

References

https://cert.pl/en/posts/2026/04/CVE-2026-42248/

third-party-advisory

https://ollama.com/

product

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 25, 2026

Credit

Bartłomiej Dmitruk (striga.ai)

CVE-2026-42249 Data

JSON