# Ollama's Auto-Updater Is a Persistent Backdoor: How a Missing Signature Check Turns Your AI Into an Attacker's Best Friend **Your AI assistant might be the weakest link in your security right now — and you don't even know it.** If you're running Ollama on Windows, your local LLM server has a built-in auto-updater that's been quietly shipping a pair of critical vulnerabilities since at least version 0.12.10. Researchers disclosed them in January 2026. CERT Polska published a public warning in April. The latest release (v0.23.0, shipped two days ago) still contains the bugs. And the maintainers haven't said a word. This is the story of **CVE-2026-42248** and **CVE-2026-42249** — two flaws that turn Ollama's update mechanism into a persistent remote code execution vector, and a case study in what happens when security disclosure meets complete silence. --- ## What Is Ollama and Why This Matters Ollama is one of the most popular open-source tools for running large language models locally. It bundles the inference server, a chat UI, and a system-tray client that auto-starts on login and checks for updates in the background. Millions of users run it to keep their AI conversations private, avoid API costs, and work offline. The problem? That convenient auto-updater on Windows has two fatal flaws that, when chained together, let an attacker silently install persistent malware on your system — with no user interaction, no UAC prompt, and no warning. --- ## The Two Bugs: A Perfect Storm ### CVE-2026-42248: The Signature Check That Does Nothing The first vulnerability is almost insultingly simple. Ollama's Windows updater has a `verifyDownload()` function. It gets called. It returns `nil` (no error). And then the downloaded file is executed — no matter what it actually is. On macOS, the same build properly verifies code signatures. On Windows? The verification function is a no-op. Any executable the updater downloads gets run blindly. This alone would be bad enough — a man-in-the-middle or compromised update server could push malware that Ollama would happily execute. But it's the second vulnerability that makes this truly nasty. ### CVE-2026-42249: Path Traversal via HTTP Headers The Windows updater builds the local path for staged installer files directly from HTTP response headers — specifically the `ETag` header — without any sanitization. An attacker controlling the update response can inject `../` sequences into the `ETag` header, causing the downloaded file to land **anywhere the user account can write**. Here's where it gets evil: by combining this with the missing signature check, an attacker can write an arbitrary executable directly into the user's **Windows Startup folder**. On the next login (or reboot), Windows runs it automatically. No warning. No Mark-of-the-Web flag. No UAC prompt. Just silent execution on every subsequent login until someone manually deletes the file. As researcher Bartłomiej Dmitruk from Striga put it: *"The same dropped binary fires on every subsequent login until the file is removed."* --- ## Attack Vectors: How This Gets Exploited The attacker needs to control the update response Ollama receives. Dmitruk identified three realistic paths: 1. **Compromise the update infrastructure directly** — We've seen this before. In January 2026, eScan antivirus had its update mechanism compromised to push malware. Supply chain attacks on update servers are not theoretical. 2. **Redirect the client locally** — An attacker with a foothold on the machine can set the `OLLAMA_UPDATE_URL` environment variable, edit the hosts file, or install a rogue root certificate to redirect update checks to their own server. 3. **Network-level interception** — TLS MITM or DNS hijacking with a forged certificate can redirect update traffic. This is harder but not impossible, especially on compromised networks. Default settings make this worse: auto-updates are **enabled by default**, and Ollama **auto-starts from the Startup folder by default**. Most users never change either setting. --- ## The Disclosure Timeline: A Cautionary Tale - **Late January 2026** — Striga researchers report the vulnerabilities to Ollama's documented security address. No response. - **Follow-up** — A maintainer's personal email yields one acknowledgement, then silence. - **Five weeks later** — With no engagement from the Ollama team, CERT Polska takes over coordination. - **April 29, 2026** — CERT Polska publishes a public warning, assigns CVEs, and confirms versions 0.12.10 through 0.17.5 are vulnerable. - **May 4, 2026** — Striga confirms the vulnerable code remains present through v0.22.0, with no commits touching the affected functions. - **May 5, 2026** — Latest release (v0.23.0) ships. Still no patch. Still no statement from maintainers. That's **over three months** from responsible disclosure to public exposure, with zero vendor response and no fix in sight. --- ## What This Means for the Broader AI Ecosystem This isn't just about Ollama. It's about a pattern we're seeing across the AI tooling landscape: **Local AI is the new frontier for attackers.** As organizations and individuals move away from cloud APIs to self-hosted models, they're introducing new attack surfaces they don't fully understand. Local AI servers run with user privileges, auto-start on boot, and often have network access. They're juicy targets. **Update mechanisms are the weakest link.** Every auto-updater is a potential supply chain attack vector. When the updater doesn't verify what it downloads (Ollama on Windows) or lets attackers control where files land (the path traversal), it's not an updater — it's a backdoor installer. **Security isn't a priority in the AI gold rush.** Ollama is a popular, well-funded project. If a disclosure this serious can sit unanswered for months, what does that say about the thousands of smaller AI tools being deployed in production right now? --- ## What You Can Do Right Now ### If You Run Ollama on Windows: 1. **Disable auto-updates immediately.** Go to Ollama settings and turn off "Auto-download updates." This short-circuits the vulnerable update check before any network request is made. 2. **Remove the Startup shortcut.** Delete any Ollama shortcut from `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup` to prevent silent on-login execution. 3. **Monitor for unexpected files in your Startup folder.** Check regularly for executables you didn't place there. 4. **Consider switching to manual updates.** Until a patched version is released, download updates directly from the official GitHub releases page and verify checksums. ### If You're a Security Team: 1. **Audit your environment for Ollama installations.** The Windows desktop client is the vulnerable component — the headless Linux/macOS server builds are not affected by these specific CVEs. 2. **Block Ollama update traffic at the perimeter** if you can't disable auto-updates centrally. 3. **Add detection rules** for the known IoCs: unexpected executables in Startup folders, processes spawned from `%LOCALAPPDATA%\Ollama\update` directories, and network connections to non-standard OLLAMA_UPDATE_URL values. --- ## The Bigger Picture: Trusting the Tools That Trust Themselves Ollama's vulnerability is a masterclass in how convenience features become security nightmares. Auto-updates are supposed to keep users safe by ensuring they run patched software. When the update mechanism itself is broken, it becomes the attack vector. The most damning detail? macOS builds properly verify signatures. The Windows build just... doesn't. This isn't a complex architectural flaw — it's a function that returns `nil` instead of checking anything. It's the kind of bug that gets introduced once and never reviewed, because "it works on my machine" (the developer's MacBook). For a project used by millions to run AI models — including in enterprise environments — this is a stark reminder that **popularity doesn't equal security maturity**. --- ## Final Thought The AI revolution is happening faster than our security practices can keep up. Tools like Ollama make AI accessible to everyone, which is genuinely transformative. But accessibility without security is just vulnerability at scale. CVE-2026-42248 and CVE-2026-42249 have been public knowledge for months. The proof-of-concept is trivial. The attack path is realistic. And the fix — adding actual signature verification and sanitizing HTTP headers — is not rocket science. The only question is whether the maintainers will act before attackers do. *Sources: Striga Research (May 2026), CERT Polska (April 2026), Help Net Security, NVD CVE-2026-42248/42249*