{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42249", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-04-25T11:31:56.229Z", "datePublished": "2026-04-29T11:44:39.807Z", "dateUpdated": "2026-04-29T13:20:29.799Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "platforms": ["Windows"], "product": "Ollama", "repo": "https://github.com/ollama/ollama", "vendor": "Ollama", "versions": [{"lessThanOrEqual": "0.17.5", "status": "affected", "version": "0.12.10", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bart\u0142omiej Dmitruk (striga.ai)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Ollama for Windows&nbsp;contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker\u2011controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to <i>filepath.Join</i>, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.<br>An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker\u2011chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.<br><br>Critically, when chained with CVE\u20112026\u201142248 (Missing Signature Verification for Updates),&nbsp;an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.<br><br>Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.<br>"}], "value": "Ollama for Windows\u00a0contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker\u2011controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.\nAn attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker\u2011chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.\n\nCritically, when chained with CVE\u20112026\u201142248 (Missing Signature Verification for Updates),\u00a0an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.\n\nMaintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable."}], "impacts": [{"capecId": "CAPEC-186", "descriptions": [{"lang": "en", "value": "CAPEC-186 Malicious Software Update"}]}, {"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 7.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-494", "description": "CWE-494: Download of Code Without Integrity Check", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-29T11:44:39.807Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2026/04/CVE-2026-42248/"}, {"tags": ["product"], "url": "https://ollama.com/"}], "source": {"discovery": "EXTERNAL"}, "tags": ["x_open-source"], "title": "Remote Code Execution in Ollama via Update Mechanism", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-29T13:20:16.814725Z", "id": "CVE-2026-42249", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-29T13:20:29.799Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42249", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-29T13:20:16.814725Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-29T13:20:23.094Z"}}], "cna": {"tags": ["x_open-source"], "title": "Remote Code Execution in Ollama via Update Mechanism", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bart\u0142omiej Dmitruk (striga.ai)"}], "impacts": [{"capecId": "CAPEC-186", "descriptions": [{"lang": "en", "value": "CAPEC-186 Malicious Software Update"}]}, {"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/ollama/ollama", "vendor": "Ollama", "product": "Ollama", "versions": [{"status": "affected", "version": "0.12.10", "versionType": "semver", "lessThanOrEqual": "0.17.5"}], "platforms": ["Windows"], "defaultStatus": "unknown"}], "references": [{"url": "https://cert.pl/en/posts/2026/04/CVE-2026-42248/", "tags": ["third-party-advisory"]}, {"url": "https://ollama.com/", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Ollama for Windows\u00a0contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker\u2011controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.\nAn attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker\u2011chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.\n\nCritically, when chained with CVE\u20112026\u201142248 (Missing Signature Verification for Updates),\u00a0an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.\n\nMaintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.", "supportingMedia": [{"type": "text/html", "value": "Ollama for Windows&nbsp;contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker\u2011controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to <i>filepath.Join</i>, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.<br>An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker\u2011chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.<br><br>Critically, when chained with CVE\u20112026\u201142248 (Missing Signature Verification for Updates),&nbsp;an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.<br><br>Maintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-494", "description": "CWE-494: Download of Code Without Integrity Check"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-29T11:44:39.807Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42249", "state": "PUBLISHED", "dateUpdated": "2026-04-29T13:20:29.799Z", "dateReserved": "2026-04-25T11:31:56.229Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-04-29T11:44:39.807Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Ollama for Windows\u00a0contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker\u2011controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.\nAn attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker\u2011chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables.\n\nCritically, when chained with CVE\u20112026\u201142248 (Missing Signature Verification for Updates),\u00a0an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.\n\nMaintainers of this project were notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Versions from 0.12.10 to 0.17.5 were tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable."}], "id": "CVE-2026-42249", "lastModified": "2026-04-29T12:16:19.113", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-04-29T12:16:19.113", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2026/04/CVE-2026-42248/"}, {"source": "cvd@cert.pl", "url": "https://ollama.com/"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-494"}], "source": "cvd@cert.pl", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "semver", "value": "[0.12.10,0.17.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Ollama", "source": "cna", "vendor": "Ollama"}, "product": "ollama", "vendor": "ollama"}], "created": "2026-04-29T14:15:14.232415+00:00", "updated": "2026-04-29T14:30:13.077545+00:00", "vendors": ["ollama", "ollama$PRODUCT$ollama"]}