GHSA-x9hg-5q6g-q3jrMediumCVSS 6.9

Ollama vulnerable to Cross-Domain Token Exposure

Published
July 22, 2025
Last Modified
June 6, 2026

🔗 CVE IDs covered (1)

📋 Description

Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint.

🎯 Affected products1

  • go/github.com/ollama/ollama:<= 0.9.6

🔗 References (7)