BotBeat
...
← Back

> ▌

OllamaOllama
RESEARCHOllama2026-05-29

Critical Vulnerabilities in Ollama Desktop App Enable Phishing and Data Exfiltration via Prompt Injection

Key Takeaways

  • ▸Ollama's desktop app is vulnerable to indirect prompt injection attacks that allow complete UI takeover via malicious HTML rendering, enabling credential theft and phishing attacks
  • ▸Three zero-click data exfiltration vectors were identified exploiting insecure web search tooling, Markdown image rendering, and external HTML element rendering—no user action required beyond initial interaction with compromised content
  • ▸Vulnerabilities were disclosed to Ollama on December 18, 2025, but received no response despite four follow-ups over five months, prompting public disclosure on May 28, 2026
Source:
Hacker Newshttps://www.promptarmor.com/resources/unpatched-ollama-vulnerabilities-phishing-overlays-and-data-exfiltration↗

Summary

Security researchers from PromptArmor have disclosed multiple critical vulnerabilities in Ollama's desktop application that enable attackers to launch phishing overlay and data exfiltration attacks through indirect prompt injection. The vulnerabilities allow attackers to completely overwrite the Ollama user interface with malicious websites and steal user credentials or sensitive data without requiring user interaction. The attacks exploit insecure rendering of model outputs and lack of input sanitization, with three distinct data exfiltration vectors identified that can be weaponized through compromised external websites or documents.

The vulnerabilities were reported to the Ollama team on December 18, 2025, but the disclosure received no response despite four additional follow-up attempts by PromptArmor. After nearly five months of waiting without a fix, the researchers publicly disclosed the vulnerabilities on May 28, 2026, to ensure the Ollama community could be made aware of the risks. The disclosure timeline—from December 2025 through May 2026—raises questions about Ollama's vulnerability response practices and the broader challenge of coordinating security fixes for widely-used open-source AI tools.

Ollama, which boasts over 170,000 GitHub stars, is a leading platform for running large language models locally on desktop and mobile devices. The identified vulnerabilities highlight critical security gaps in how AI model outputs are rendered to users and demonstrate how prompt injection attacks can be weaponized beyond model manipulation to achieve full application takeover and credential theft.

  • The attacks demonstrate how indirect prompt injection—manipulating AI models to output malicious content—poses systemic risks to widely-deployed AI applications with millions of users

Editorial Opinion

This vulnerability disclosure exposes a critical blind spot in the security practices of a major open-source AI tool. The five-month silence from the Ollama team following responsible disclosure is particularly concerning given the ease of exploitation and the tool's massive user base. The research underscores that as AI tools proliferate, security must be treated as a first-class concern—not an afterthought—and that open-source projects need clear vulnerability response protocols to protect users before flaws become public.

Generative AICybersecurityAI Safety & AlignmentPrivacy & Data

More from Ollama

OllamaOllama
FUNDING & BUSINESS

Ollama Raises $65M Series B to Expand AI Model Accessibility, Reaches 8.9M Monthly Users

2026-07-09
OllamaOllama
RESEARCH

Critical Unpatched Vulnerabilities in Ollama Desktop App Enable Phishing and Data Exfiltration

2026-06-05
OllamaOllama
RESEARCH

Critical NPM Supply Chain Attack Spreads as Self-Propagating Worm Through Binding.gyp Exploits

2026-06-04

Comments

Suggested

CdbxCdbx
PRODUCT LAUNCH

Cdbx Launches AI-Powered Browser IDE to Build Apps from Plain English Descriptions

2026-07-13
SoofiSoofi
PRODUCT LAUNCH

Soofi Consortium Announces Soofi S: Europe's First Sovereign Industrial Foundation Model

2026-07-13
Academic ResearchAcademic Research
RESEARCH

Real-World AI-Generated Code More Similar to Human Code Than Lab Studies Suggested, Large-Scale Study Finds

2026-07-13
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us