Description
A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.
References (3)
Core 3
Core References
Third Party Advisory
https://gist.github.com/Cristliu/48dae561696374744d9fced07a544ecd
Issue Tracking
https://github.com/ollama/ollama/issues
Scores
CVSS v3
9.8
EPSS
0.0019
EPSS Percentile
40.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (2)
ollama/ollama
< 0.12.3
ollama/ollama
0Go
Published
Dec 18, 2025
Tracked Since
Feb 18, 2026