Critical "Bleeding Llama" Flaw Exposes 300,000 Ollama Servers to Data Theft A severe vulnerability in Ollama, a widely used platform for running local AI models, has left roughly 300,000 internet-facing servers vulnerable to memory-based data extraction. Dubbed "Bleeding Llama" (CVE-2026-7482), the flaw allows unauthenticated attackers to steal sensitive information including user prompts, system instructions, and environment variables with just three API calls. Discovered by Cyera and assigned a critical CVSS score of 9.1, the exploit stems from a memory overread during the processing of GGUF model files. Attackers can craft malicious files with mismatched tensor metadata, tricking Ollama into reading beyond intended memory buffers. The leaked data, preserved through a lossless conversion technique, is then exfiltrated via the platform’s push functionality. The impact is particularly severe in enterprise environments, where exposed memory may contain API keys, proprietary code, customer data, and internal AI workflows. Systems integrated with external tools or coding assistants face heightened risk, as their outputs may also be compromised. The vulnerability affects Ollama versions before 0.1.7.1, which includes the patch. Organizations are advised to upgrade immediately, restrict public access, and enforce authentication controls. Any previously exposed deployments should assume potential data leakage and rotate secrets.

Critical Unpatched Vulnerability in Ollama Exposes Sensitive Data to Attackers Cybersecurity researchers have identified a severe, unpatched vulnerability in Ollama, a widely used open-source platform for running large language models (LLMs) locally. Tracked as CVE-2026-5757, the flaw resides in Ollama’s model quantization engine and allows unauthenticated attackers to steal sensitive server data by uploading a maliciously crafted AI model file. ### How the Exploit Works Ollama’s quantization process designed to optimize model performance by reducing numerical precision contains an out-of-bounds memory vulnerability in its handling of GPT-Generated Unified Format (GGUF) files. When an attacker uploads a specially crafted GGUF file and triggers quantization, the engine reads beyond safe memory limits due to three critical flaws: 1. Unchecked file metadata – The engine trusts user-provided metadata without verifying its alignment with the actual data size. 2. Unsafe memory operations – A Go-based memory slice extends into the application’s heap, enabling unauthorized access. 3. Data exfiltration via API – Stolen memory (including sensitive data) is written to a new model layer and can be extracted through Ollama’s registry API. ### Potential Impact Since the vulnerability grants access to the server’s heap memory, attackers can silently extract highly sensitive data processed during normal operations, including: - API keys - Private user data - Proprietary intellectual property Worse, the exploit could enable full server compromise, allowing attackers to move laterally within a network, establish persistence, and evade detection by standard security tools. ### Discovery & Current Status The flaw was uncovered by security researcher Jeremy Brown, who employed AI-assisted vulnerability research techniques. As of late April 2026, the CERT Coordination Center has been unable to contact Ollama’s vendor, leaving the vulnerability unpatched. ### Mitigation Measures Until an official fix is released, organizations running Ollama are advised to: - Disable or restrict model upload functionality on exposed servers. - Limit deployments to isolated or trusted networks. - Only use AI models from verified sources. - Enforce strict network controls to block unauthorized data exfiltration. The incident underscores the growing risks of supply chain attacks in AI infrastructure, particularly in open-source tools with widespread adoption.

Hundreds of Thousands of Ollama Hosts Exposed in LLM Security Risk A recent study has revealed a critical security vulnerability involving Ollama, a platform for managing large language models (LLMs), with over 175,000 exposed hosts identified online. Conducted by security researchers and reported by SecurityWeek, the findings highlight a growing risk of unauthorized access to LLMs, which could lead to data breaches and misuse of sensitive information. Among the exposed hosts, 23,000 demonstrated persistent activity over a 293-day period, making them prime targets for attackers. These consistently active hosts could be exploited for ongoing data extraction or malicious LLM processing, amplifying the threat of cyber exploitation. The study employed advanced scanning techniques to analyze exposure patterns, providing detailed insights into the behavior of vulnerable hosts. The findings underscore the broader risks of unsecured LLM infrastructure, where threat actors could leverage exposed access points to manipulate models or extract confidential data. Organizations using Ollama and similar platforms are advised to strengthen security measures, including stricter access controls, regular software updates, and network monitoring to mitigate potential threats. The incident serves as a reminder of the need for robust security protocols in LLM deployment.

Large-Scale "LLMjacking" Campaign Exploits Exposed AI Endpoints for Profit Researchers at Pillar Security have uncovered a sophisticated cybercrime operation dubbed "Bizarre Bazaar", one of the first documented cases of "LLMjacking" a campaign targeting exposed or poorly secured AI infrastructure for financial gain. Over a 40-day period, the team recorded over 35,000 attack sessions on their honeypots, revealing a coordinated effort to monetize unauthorized access to large language model (LLM) endpoints. The campaign exploits misconfigured or unauthenticated AI services, including self-hosted LLMs, exposed APIs, publicly accessible Model Context Protocol (MCP) servers, and development environments with public IP addresses. Attackers frequently target Ollama endpoints on port 11434, OpenAI-compatible APIs on port 8000, and unauthenticated production chatbots, often striking within hours of a misconfigured endpoint appearing in Shodan or Censys scans. Once compromised, threat actors leverage the access for multiple malicious purposes: - Cryptocurrency mining using stolen computing resources - Reselling API access on darknet markets - Exfiltrating sensitive data from prompts and conversation histories - Pivoting into internal systems via MCP servers for lateral movement Pillar Security’s report highlights a criminal supply chain involving three distinct threat actors. The first scans the internet for vulnerable endpoints, the second validates and tests access, and the third operates Silver[.]inc, a commercial service advertised on Telegram and Discord that resells access to compromised AI infrastructure. The platform, marketed under the name NeXeonAI, claims to provide access to over 50 AI models from major providers in exchange for cryptocurrency or PayPal payments. The operation has been attributed to a threat actor using the aliases "Hecker," "Sakuya," and "LiveGamer101." While Bizarre Bazaar focuses on LLM API abuse, Pillar Security is tracking a separate but potentially related campaign targeting MCP endpoints, which offers greater opportunities for lateral movement including Kubernetes interactions, cloud service access, and shell command execution. As of the latest findings, the campaign remains active, with SilverInc’s service still operational. The full scope of the operation and its potential connections to other threat groups are still under investigation.

Global Network of 175,000 Exposed Ollama AI Servers Raises Remote Code Execution Risks Researchers have uncovered a vast, unmanaged network of 175,000 publicly exposed Ollama AI servers across 130 countries, posing severe remote code execution (RCE) risks. Over a 293-day scanning period, the analysis identified 7.23 million observations from unique hosts, revealing a decentralized yet highly active ecosystem. A persistent core of 23,000 hosts drove most activity, while transient instances appeared and disappeared frequently. Nearly half of the exposed servers support tool-calling capabilities, enabling code execution, API access, and external system interactions fundamentally altering the threat model beyond basic text generation. Additionally, 22% of hosts include vision capabilities, allowing image-based prompt injection attacks via malicious files. The infrastructure spans both cloud and residential networks, with 56% of hosts located on consumer ISPs and 32% on hyperscalers, complicating traditional security governance. Geographic concentrations were notable: Virginia (18%) led in the U.S., while Beijing (30%) dominated in China, alongside Shanghai and Guangdong (21%). Model adoption showed striking uniformity, with Llama, Qwen2, and Gemma2 consistently ranking as the top three deployed families. Hardware constraints drove convergence toward 4-bit quantization formats (72% of hosts), increasing systemic fragility vulnerabilities in these models could impact a significant portion of the exposed ecosystem. Key threat vectors include: - Resource hijacking unauthenticated access to compute power for malicious activities like spam or disinformation. - Prompt injection attacks exploiting tool-enabled models to extract sensitive data or execute unauthorized commands. - Indirect prompt injection using malicious images to bypass bot defenses via residential IPs. The decentralized nature of these deployments particularly on home networks complicates attribution and incident response, as security teams often lack legal or contractual access to mitigate threats. The findings underscore the need for authentication, monitoring, and network controls equivalent to those applied to traditional externally facing infrastructure.