PT-2025-54499 — Missing Authentication in Go Github.Com/Ollama/Ollama

PT-2025-54499 · Go · Github.Com/Ollama/Ollama

Published

2025-12-18

Updated

2025-12-18

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.

Fix

Missing Authentication

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-284

Related Identifiers

GHSA-F6MR-38G8-39RG

Affected Products

Github.Com/Ollama/Ollama

PT-2025-54499 · Go · Github.Com/Ollama/Ollama

Weakness Enumeration

Related Identifiers

Affected Products

References · 5