Critical Vulnerabilities in Ollama Desktop App Enable Phishing and Data Exfiltration via Prompt Injection
Key Takeaways
- ▸Ollama's desktop app is vulnerable to indirect prompt injection attacks that allow complete UI takeover via malicious HTML rendering, enabling credential theft and phishing attacks
- ▸Three zero-click data exfiltration vectors were identified exploiting insecure web search tooling, Markdown image rendering, and external HTML element rendering—no user action required beyond initial interaction with compromised content
- ▸Vulnerabilities were disclosed to Ollama on December 18, 2025, but received no response despite four follow-ups over five months, prompting public disclosure on May 28, 2026
Summary
Security researchers from PromptArmor have disclosed multiple critical vulnerabilities in Ollama's desktop application that enable attackers to launch phishing overlay and data exfiltration attacks through indirect prompt injection. The vulnerabilities allow attackers to completely overwrite the Ollama user interface with malicious websites and steal user credentials or sensitive data without requiring user interaction. The attacks exploit insecure rendering of model outputs and lack of input sanitization, with three distinct data exfiltration vectors identified that can be weaponized through compromised external websites or documents.
The vulnerabilities were reported to the Ollama team on December 18, 2025, but the disclosure received no response despite four additional follow-up attempts by PromptArmor. After nearly five months of waiting without a fix, the researchers publicly disclosed the vulnerabilities on May 28, 2026, to ensure the Ollama community could be made aware of the risks. The disclosure timeline—from December 2025 through May 2026—raises questions about Ollama's vulnerability response practices and the broader challenge of coordinating security fixes for widely-used open-source AI tools.
Ollama, which boasts over 170,000 GitHub stars, is a leading platform for running large language models locally on desktop and mobile devices. The identified vulnerabilities highlight critical security gaps in how AI model outputs are rendered to users and demonstrate how prompt injection attacks can be weaponized beyond model manipulation to achieve full application takeover and credential theft.
- The attacks demonstrate how indirect prompt injection—manipulating AI models to output malicious content—poses systemic risks to widely-deployed AI applications with millions of users
Editorial Opinion
This vulnerability disclosure exposes a critical blind spot in the security practices of a major open-source AI tool. The five-month silence from the Ollama team following responsible disclosure is particularly concerning given the ease of exploitation and the tool's massive user base. The research underscores that as AI tools proliferate, security must be treated as a first-class concern—not an afterthought—and that open-source projects need clear vulnerability response protocols to protect users before flaws become public.
