Ollama Windows updater accepts unsigned payloads, enabling persistent RCE
TL;DR - Ollama's Windows updater skips signature verification entirely (CVE-2026-42248) and builds local file paths from attacker-controlled HTTP response headers without sanitisation (CVE-2026-42249). Chain them and you get arbitrary file write followed by silent auto-execution - persistent RCE, no user interaction required.
What happened
Ollama is a local LLM runtime widely used by developers to run models on their own machines. CERT Polska disclosed two vulnerabilities in the Windows build's updater.
CVE-2026-42248 (CWE-494): the Windows update verification routine unconditionally returns success. No signature check. No trust validation. Whatever executable gets delivered is staged and run.
CVE-2026-42249 (CWE-22): the updater constructs local file paths directly from HTTP response header values, feeding them into filepath.Join without any sanitisation. An attacker who can influence update responses can insert ../ sequences and write files outside the intended staging directory - including paths like the Windows Startup directory.
Chained together, the attack is clean: CVE-2026-42249 places a malicious binary wherever you want it, CVE-2026-42248 ensures the updater executes it without complaint. Auto-update runs silently. No prompt, no warning, repeatable on every subsequent update cycle.
Auto-update is supposed to be a trusted distribution path. When it has no integrity checks, a single network influence point becomes persistent, silent code execution on developer machines. That is a meaningful supply-chain surface - especially given how many engineers run Ollama locally against sensitive code and data.
Who is impacted
- Windows machines running
Ollamaversions0.12.10through0.17.5(confirmed vulnerable by CERT Polska). - Versions outside that range were not tested, so exposure there is unconfirmed - not ruled out.
- Highest risk: machines that fetch updates over networks where an attacker can intercept or spoof update responses.
| Item | Detail |
|---|---|
| Affected product | Ollama (Windows) |
| Vulnerable versions (confirmed) | 0.12.10 through 0.17.5 |
| CVE-2026-42248 | No integrity or authenticity verification on downloaded update executables |
| CVE-2026-42249 | Path traversal via attacker-controlled HTTP response headers fed into filepath.Join |
| Exploit chain | CVE-2026-42249 writes attacker binary to arbitrary path; CVE-2026-42248 executes it without verification; auto-update triggers silently |
What to do now
- Apply the latest patched release as soon as vendor remediation is available. Track the official Ollama release channel.
- Inventory every Windows machine running
Ollama- developer workstations, build agents, lab machines - and flag anything in the0.12.10through0.17.5range. - Treat the updater path as untrusted until patched:
- limit update activity to trusted, controlled networks where feasible
- review network-edge controls that could reduce exposure to attacker-influenced update responses
- If you suspect a machine was exposed, look for unexpected binaries outside the normal update staging directory. The Windows Startup directory is the example target CERT Polska calls out explicitly.
- Consider whether machines running vulnerable
Ollamabuilds should be treated as potentially compromised until they are patched and inspected.
Additional Information
- CERT Polska advisory (covers both CVEs): https://cert.pl/en/posts/2026/04/CVE-2026-42248/
- CVE records:
CVE-2026-42248,CVE-2026-42249
Related
Training
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.