Skip to main content

Ollama CVE-2026-33401

| EUVDEUVD-2026-14947 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-24 GitHub_M
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:17 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.7.0
EUVD ID Assigned
Mar 24, 2026 - 18:15 euvd
EUVD-2026-14947
Analysis Generated
Mar 24, 2026 - 18:15 vuln.today
CVE Published
Mar 24, 2026 - 17:58 nvd
HIGH 7.1

DescriptionGitHub Advisory

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An authenticated user can reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by supplying a crafted URL to any of these endpoints. This issue has been patched in version 4.7.0.

AnalysisAI

Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.7.0 that allows authenticated users to access internal network services, cloud metadata endpoints, and localhost-bound services. The vulnerability exists in three unprotected attack surfaces: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job-areas that were missed when SSRF protections were partially implemented in an earlier patch (CVE-2026-30840). An attacker with valid credentials can leverage these endpoints to reach sensitive internal resources including AWS IMDSv1, GCP, and Azure metadata services.

Technical ContextAI

This vulnerability is classified under CWE-918 (Server-Side Request Forgery), which occurs when an application fetches remote resources without proper validation of user-supplied URLs. The Wallos application (identified via CPE cpe:2.3:a:ellite:wallos) processes user input for external service parameters without enforcing allowlist restrictions or network isolation. The vulnerability spans three distinct code paths: the AI Ollama integration (which accepts arbitrary host URLs), the AI recommendations feature (which may construct requests to external endpoints), and background cron jobs handling notifications (which execute scheduled network requests). The incomplete patch history (commit e8a513591 addressed notification test endpoints but overlooked these three related surfaces) indicates a broader architectural gap in input validation across the application's integration layers.

RemediationAI

Upgrade Wallos immediately to version 4.7.0 or later, which includes patches addressing all three attack surfaces (AI Ollama host parameter, AI recommendations endpoint, and notification cron job). The patch commits are available at https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef and related references in the official repository. For environments unable to patch immediately, implement network-level mitigations by restricting outbound connections from the Wallos service to only approved external endpoints using host-based firewalls or network segmentation; disable the AI features and notification functionality if not in use; and audit recent authentication logs for suspicious endpoint requests targeting internal IP ranges (10.0.0.0/8, 169.254.169.254, or localhost). Additionally, rotate any credentials or tokens that may have been exposed through metadata endpoints if compromise is suspected.

More in Ollama

View all
CVE-2024-37032 HIGH POC
8.8 May 31

Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path,

CVE-2025-15514 HIGH POC
8.7 Jan 12

Denial of service in Ollama's multi-modal image processing (versions 0.11.5-rc0 through 0.13.5) lets remote attackers cr

CVE-2024-39720 HIGH POC
8.2 Oct 31

An issue was discovered in Ollama before 0.1.46. Rated high severity (CVSS 8.2), this vulnerability is remotely exploita

CVE-2025-1975 HIGH POC
7.5 May 16

A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by

CVE-2025-0317 HIGH POC
7.5 Mar 20

A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model

CVE-2025-66960 HIGH POC
7.5 Jan 21

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function rea

CVE-2025-66959 HIGH POC
7.5 Jan 21

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]

CVE-2024-8063 HIGH POC
7.5 Mar 20

A divide by zero vulnerability exists in ollama/ollama version v0.3.3. Rated high severity (CVSS 7.5), this vulnerabilit

CVE-2025-0312 HIGH POC
7.5 Mar 20

A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that,

CVE-2024-12055 HIGH POC
7.5 Mar 20

A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be u

CVE-2024-39722 HIGH POC
7.5 Oct 31

An issue was discovered in Ollama before 0.1.46. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita

CVE-2024-39721 HIGH POC
7.5 Oct 31

An issue was discovered in Ollama before 0.1.34. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita

Share

CVE-2026-33401 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy