Critical Security Flaw: 25,000 Exposed Ollama AI Servers Discovered Worldwide, with 7,600 in EU
Key Takeaways
- ▸25,000 publicly exposed Ollama servers discovered globally, with 7,600 (30%) located in EU member states, representing a 22x increase from September 2025
- ▸Ollama's API design flaw: the platform provides fully writable, unauthenticated access including ability to delete models, create models, and execute inference at the owner's expense without credentials
- ▸EU cloud providers' aggressive marketing of self-hosted inference solutions has driven rapid adoption but lacks accompanying security guidance, creating widespread vulnerability
Summary
A security researcher has discovered over 25,000 publicly exposed Ollama inference servers worldwide, a dramatic 22x increase from the 1,139 instances found by Cisco Talos in September 2025. Approximately 7,600 of these vulnerable instances are located in EU member states, with Germany accounting for 3,550 servers—ranking third globally after China and the United States. The exposure is partly driven by EU cloud providers like Hetzner, Contabo, and OVH aggressively promoting self-hosted inference capabilities through tutorials and one-click deployment templates, often without adequate security guidance.
The discovery reveals a critical vulnerability in Ollama's API design: the platform exposes a fully writable, unauthenticated API that allows unauthorized users to not only read model information and run inference queries, but also delete models, create new models with arbitrary system prompts, and pull additional models from registries—all without requiring any authentication credentials. Testing on a sample of 254 EU hosts confirmed that 8-12% were actively serving inference at any given time, indicating these are actively maintained systems rather than forgotten infrastructure. Tenable has classified this unauthenticated access vulnerability with a CVSS Base Score of 10.0 (Critical severity), recommending operators bind APIs to localhost or place them behind authenticated reverse proxies.
- Tenable rates the vulnerability as Critical (CVSS 10.0), and between 8-12% of exposed servers are actively serving inference, confirming active use rather than abandoned infrastructure
Editorial Opinion
This discovery exposes a fundamental tension in the AI infrastructure boom: the race to democratize self-hosted inference through simple deployment tools has far outpaced security best practices. While Ollama's design choice to implement an unauthenticated API may have been intended for development convenience, its exposure in production environments poses significant risks—from financial theft through unauthorized compute usage to potential model tampering. The fact that EU cloud providers are actively promoting these deployments without security guardrails is particularly troubling and suggests the industry urgently needs standardized security baselines and responsible marketing practices for AI infrastructure.
