DUBBED Bleeding Llama, the heap out-of-bounds read issue in Ollama can be exploited remotely without authentication. Roughly 300,000 Ollama deployments are prone to sensitive information theft through this unauthenticated vulnerability, Cyera warns. The bug, tracked as CVE-2026-7482 with a CVSS score of 9.3, affects the GGUF model loader and enables reading memory that may contain prompts, messages and environment variables, including API keys, tokens and secrets.
The attacker can exfiltrate the resulting file via Ollama’s built-in model push feature, using only three unauthenticated API calls, Cyera says. Ollama launches by default without authentication and listens on all network interfaces, making internet-exposed instances particularly vulnerable. The vulnerability was addressed in Ollama version 0.17.1, and organisations are advised to apply the fix and implement network access controls, authentication proxies, and regular audits of exposed deployments.