CVE-2026-5530

MEDIUM

Ollama Model Pull API download.go server-side request forgery

Title source: cna

Description

A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

nomisec WORKING POC

by davidrxchester · poc

https://github.com/davidrxchester/CVE-2026-5530

View Code ZIP pw:eip

References (3)

[Vdb Entry] https://vuldb.com/vuln/355283

[Signature, Permissions Required] https://vuldb.com/vuln/355283/cti

[Third Party Advisory] https://vuldb.com/submit/782107

Scores

CVSS v3 6.3

EPSS 0.0001

EPSS Percentile 1.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-918

Status published

Products (2)

None/Ollama 18.0

None/Ollama 18.1

Published Apr 05, 2026

Tracked Since Apr 05, 2026