CVE-2026-42249 Overview
Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker-controlled HTTP response headers. When downloading updates, the application constructs local file paths using values derived from HTTP headers without validation. These values are passed directly to filepath.Join, allowing path traversal sequences (../) to be resolved and enabling files to be written outside the intended update staging directory.
An attacker who can influence update responses can exploit this flaw to write arbitrary executables to attacker-chosen locations accessible to the current user, including the Windows Startup directory. This allows execution of arbitrary executables with persistence capabilities.
Critical Impact
When chained with CVE-2026-42248 (Missing Signature Verification for Updates), an attacker can deliver malicious payloads that are written to sensitive locations and executed automatically. Because Ollama for Windows performs silent automatic updates and executes staged binaries without user interaction, this results in automatic and persistent code execution without user awareness.
Affected Products
- Ollama for Windows versions 0.12.10 to 0.17.5 (confirmed vulnerable)
- Earlier versions may also be affected but were not tested
- Windows installations utilizing the automatic update mechanism
Discovery Timeline
- 2026-04-29 - CVE-2026-42249 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-42249
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal) and enables remote code execution through improper input validation in the update mechanism. The flaw exists in how Ollama for Windows processes HTTP response headers during the update download process. The application trusts attacker-controllable header values and uses them to construct file paths without sanitizing path traversal sequences.
The vulnerability is accessible from an adjacent network position and requires exploitation of specific conditions to achieve successful code execution. The attack does not require any user privileges or interaction, making it particularly dangerous in environments where attackers can position themselves on the same network segment.
Root Cause
The root cause stems from improper input validation when processing HTTP response headers during the update mechanism. The application uses filepath.Join to construct local file paths from header-derived values, but this function resolves relative path components including ../ sequences. Without proper validation or sanitization of these input values, an attacker can manipulate the destination path to write files to arbitrary locations on the filesystem accessible to the current user.
Attack Vector
The attack requires adjacent network access to intercept or manipulate update traffic between the Ollama client and update server. An attacker positioned on the same network segment can perform a man-in-the-middle attack to inject malicious HTTP response headers containing path traversal sequences.
The attack flow involves:
- The attacker intercepts update requests from the Ollama for Windows client
- Malicious HTTP response headers containing path traversal sequences (e.g., ../../../Users/[username]/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/) are injected
- The application processes these headers without validation
- Arbitrary executable files are written to the Windows Startup directory
- Upon system restart or user login, the malicious executable runs automatically
When combined with CVE-2026-42248 (Missing Signature Verification), attackers can deliver unsigned malicious payloads that bypass integrity checks, resulting in complete system compromise with persistence.
Detection Methods for CVE-2026-42249
Indicators of Compromise
- Unexpected executable files appearing in the Windows Startup directory (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\)
- Ollama-related processes writing files outside the standard installation and update directories
- Unusual file creation events in user-writable system locations during update operations
- Network traffic anomalies indicating potential man-in-the-middle attacks on update channels
Detection Strategies
- Monitor file system activity for path traversal patterns in file write operations
- Implement endpoint detection rules for unexpected executables in Startup folders
- Analyze network traffic for suspicious HTTP responses during Ollama update processes
- Deploy behavioral monitoring to detect unauthorized persistence mechanisms
Monitoring Recommendations
- Enable file integrity monitoring for Windows Startup directories across all user profiles
- Configure SIEM alerts for file creation events involving path traversal indicators
- Monitor Ollama process behavior for file operations outside expected directories
- Implement network-level inspection for update traffic manipulation attempts
How to Mitigate CVE-2026-42249
Immediate Actions Required
- Disable automatic updates in Ollama for Windows until a patched version is available
- Implement network segmentation to limit adjacent network attack surface
- Monitor Windows Startup directories for unauthorized executable additions
- Consider using network-level controls to restrict update traffic to known legitimate endpoints
Patch Information
Maintainers of the Ollama project were notified about this vulnerability but did not respond with details regarding a patch or specific vulnerable version range. Organizations should monitor the Ollama Official Website and the CERT Security Advisory for updates on remediation guidance.
Versions 0.12.10 to 0.17.5 were tested and confirmed vulnerable. Other versions may also be affected but were not tested.
Workarounds
- Disable automatic updates and perform manual updates only after verifying file integrity
- Use application whitelisting to prevent unauthorized executables from running in Startup directories
- Implement network-level TLS inspection to detect potential man-in-the-middle attacks
- Deploy host-based firewall rules to restrict Ollama update traffic to verified endpoints
- Consider running Ollama in an isolated network environment until patches are available
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
