249/69 Thursday, May 7, 2026
Security researchers from Cyera have warned about a critical vulnerability in Ollama tracked as CVE-2026-7482, also referred to as “Bleeding Llama,” which could place more than 300,000 internet-exposed Ollama instances at risk of sensitive data theft. The vulnerability is a heap out-of-bounds read issue within the GGUF model loader and can be exploited remotely without authentication.
The attack works by sending a specially crafted GGUF file containing manipulated tensor offsets and sizes that exceed the actual file boundaries. When the system processes the malicious file, it reads data beyond the allocated heap memory, potentially exposing sensitive information such as prompts, messages, environment variables, API keys, tokens, and other secrets. Attackers can then abuse Ollama’s model push feature to exfiltrate leaked heap data to attacker-controlled servers. The entire attack chain reportedly requires only three unauthenticated API calls.
The vulnerability has been patched in Ollama version 0.17.1, and users are strongly advised to update immediately. Organizations should also avoid exposing Ollama instances directly to the internet by implementing protections such as firewalls, authentication proxies, and network segmentation. Administrators are encouraged to review whether their Ollama deployments are publicly accessible and assess whether sensitive data or environment variables processed through affected systems may already have been exposed, taking additional mitigation steps as necessary.