Ollama Server Exposure Reveals Major AI Security Gaps

A recent scan conducted by the Malware Patrol team revealed over 14,000 Ollama instances publicly accessible on the Internet, opening the door to unauthorized use of the models and exploitation of known vulnerabilities. From a sample of 4400, we have found that the top Ollama versions include many outdated releases: 0.5.7 – 13% 0.5.10 – 11.5% 0.5.11 – 7.4% 0.9.0 – 7.0% 0.5.12 – 5.8% Other old versions like 0.6.2, 0.6.5, 0.6.8, and 0.7.0 also make up a significant share. Notably, only ~7% of scanned instances run the latest stable release.

Ollama vulnerabilities

Several real-world vulnerabilities have plagued older Ollama releases:

CVE?2024?28224 (versions <?0.1.29): A DNS rebinding flaw that lets attackers issue unauthenticated API calls, including file exfiltration, model deletion, or resource exhaustion.
CVE?2024?7773 (versions <?0.3.13): A ZipSlip RCE that permits arbitrary file write via crafted zip archives, potentially enabling full remote code execution.
CVE?2024?39721 (versions <?0.1.34): A resource exhaustion attack using /dev/random to cause infinite blocking via the CreateModelHandle.
CVE?2024?39720 (versions <?0.1.46): An out?of?bounds memory read caused by malformed GGUF model uploads could crash the service or impact availability.
CVE?2024?39722 (versions <?0.1.46): A path traversal vulnerability during /api/push that reveals internal file paths to an attacker.
Model poisoning/theft (??0.1.34): /api/pull and /api/push lack authentication, enabling injection or theft of entire models.

These flaws reinforce the urgent need to update Ollama to its latest version and shield endpoints behind authentication and firewalls.

Model Inventory and Safety Risks

From the same sample, the most common LLMs in use were:

deepseek-r1:1.5b – 38.1%
deepseek-r1:7b/14b/32b/70b – 33%
llama3.2:3b-instruct-q5_K_M – 24.7%
nomic-embed-text: latest – 23.6%
bge-m3:latest – 15.2%
smollm2:135m – 13%

Some of these models, particularly deepseek-r1, are highly vulnerable to jailbreaks. Cisco–Robust Intelligence tests found a 100% jailbreak success rate on DeepSeek R1 across harmful prompt sets.

While these are not Ollama flaws, publicly exposed LLMs that lack proper restrictions can be misused for prompt injection, data leakage, or the generation of malicious content.

GPU or CPU?

While Ollama doesn’t expose hardware metadata directly, we can guess that:

Large models like deepseek-r1:70b or llama3.1:8b-instruct likely require GPU-backed hardware.
Smaller models like smollm2:135m are likely running on CPU-only systems.

Exposed Computational Power – A Platform for Abuse

The scale of public exposure, over 14,000 Ollama instances, represents a vast amount of accessible compute power. Even if many run on CPUs, that’s a massive distributed network of LLM inference capacity available to anyone. Malicious actors could exploit this to run unauthorized workloads, generate phishing, disinformation, or deep fake content, or carry out automated prompt injection testing.

Exposed AI infrastructure isn’t just a misuse risk; it’s a potential vector for scalable, automated abuse. Much like unsecured WordPress and Joomla instances once powered large botnets in the mid-2010s, open LLM endpoints may soon become the next soft target.

Final Takeaways

Publicly exposing Ollama instances without strong safeguards leaves them vulnerable to:

Software-level exploits in outdated releases.
Model-level failures that compromise safety and data security.
Infrastructure-level inference hardware leakage that may reveal system architecture.
Resource misuse to produce malicious/harmful content at scale.

Recommendations: