The potential for mischief is extensive. Sagi Tzadik, the Wiz researcher who discovered the vulnerability, told CSO: “An attacker would be able to covertly leak private models, spy on user prompts, alter their responses, ransom the whole system, and even gain a foothold in the internal network. Once exploited, the machine is compromised.”

Authentication shortcomings create potential exposure

The lack of maturity for the class of technology makes it prudent to deploy additional security controls beyond applying Ollama’s patch, Wiz advised. Ollama setups should be isolated from the internet.

“The Ollama project is still in its early stages and does not support critical security features, like authentication,” Wiz’s Tzadik told CSO. “Even with the latest version running, attackers can obtain the AI models used on the Ollama server and even run them using the victim’s compute power.