CVE-2026-42249: Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of at
Summary
Ollama for Windows has a remote code execution vulnerability (the ability for an attacker to run commands on your computer) in its update system. The vulnerability happens because the application builds file paths using information from HTTP headers without checking if they're legitimate, allowing attackers to use path traversal sequences (like ../ to navigate directories) to write malicious executable files to dangerous locations like the Windows Startup folder. When combined with a missing signature verification flaw, an attacker can automatically execute malicious code without the user knowing.
Vulnerability Details
EPSS: 0.0%
April 29, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42249
First tracked: April 29, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 95%