Skip to content

[GHSA-f6mr-38g8-39rg] Ollama Platform has missing authentication enabling attackers to perform model management operations #6571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ankush-Pathak wants to merge 1 commit into
base: Ankush-Pathak/advisory-improvement-6571
Choose a base branch
from
Open

[GHSA-f6mr-38g8-39rg] Ollama Platform has missing authentication enabling attackers to perform model management operations #6571

Ankush-Pathak wants to merge 1 commit into from

Conversation

@Ankush-Pathak
Copy link

@Ankush-Pathak Ankush-Pathak commented Dec 22, 2025

Updates

  • Affected products

Comments
According to https://gist.github.com/Cristliu/48dae561696374744d9fced07a544ecd, Affected Versions: <= v0.12.3

@github-actions github-actions bot changed the base branch from main to Ankush-Pathak/advisory-improvement-6571 December 22, 2025 05:59
@Ankush-Pathak Ankush-Pathak mentioned this pull request Dec 22, 2025
Closed
@JonathanLEvans
Copy link

JonathanLEvans commented Dec 23, 2025

Hi @Ankush-Pathak,

My understanding is that Ollama is not patched yet so the current range is accurate. Do you have a link showing that 0.12.4 is fixed?

@Ankush-Pathak
Copy link
Author

Ankush-Pathak commented Dec 23, 2025

It says in the description of the CVE, A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3 and see Affected Versions: <= v0.12.3 here

@Ankush-Pathak
Copy link
Author

Ankush-Pathak commented Dec 23, 2025

Oh I see what you're saying. I don't find any indication of a fix in the changelog for 0.12.4.
The description of the CVE must then be updated to not mention the version to avoid confusion.

@JonathanLEvans
Copy link

JonathanLEvans commented Dec 23, 2025

GitHub did not assign the CVE so we cannot make changes to it. If you want, you can contact MITRE about changing the description.

@github-actions
Copy link

github-actions bot commented Jan 8, 2026

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions bot added the Stale label Jan 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Ankush-Pathak @JonathanLEvans