Ollama EUVD-2026-19009

Q: What is the CVSS score of EUVD-2026-19009?

EUVD-2026-19009 has a CVSS 4.0 base score of 5.3 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-5530 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-05 VulDB

SSRF Ollama

5.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Red Hat

6.3 MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 05, 2026 - 01:15 euvd

EUVD-2026-19009

Analysis Generated

Apr 05, 2026 - 01:15 vuln.today

CVE Published

Apr 05, 2026 - 00:30 nvd

MEDIUM 5.3

DescriptionCVE.org

A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery in Ollama's Model Pull API (via server/download.go) allows authenticated remote attackers to manipulate file processing and trigger SSRF attacks, affecting Ollama versions up to 18.1. The vulnerability carries a CVSS score of 6.3 with moderate impact on confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 6.3 score reflects moderate risk with network attack vector, low complexity, and low privilege requirements (PR:L indicates authenticated access is required). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated user with access to Ollama's Model Pull API submits a malicious request containing a crafted URL or file path during model download operations. The vulnerable download.go component fails to validate the request destination and instead causes the Ollama server to make a server-side request to an attacker-controlled or internal system. …
Remediation	Users should upgrade Ollama to a version newer than 18.1 once a patched release becomes available from the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

Bug #1094806

ollama

Release	Status	Fixed Version	Urgency
	open	-	-

EUVD-2026-19009 vulnerability details – vuln.today

Back