CVE-2026-5530 MEDIUM

CVE-2026-5530: Ollama Model Pull API download.go server-side request forgery

Vendor N/A

Product Ollama

Weakness CWE-918 · SSRF

Published April 5, 2026

Last update April 6, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

What the vulnerability does

01Description

A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

April 5, 2026 CVE published

April 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-5530 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2025-32372 Server-Side Request Forgery (SSRF) in DotNetNuke.Core CVE-2025-7813 Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventin <= 4.0.37 - Unauthenticated Server-Side Request Forgery CVE-2026-41687 Wallos: SSRF CGNAT Bypass in subscription/payments Logo URL — is_cgnat_ip() Not Used in Inline Checks CVE-2024-32812 WordPress Podlove Podcast Publisher plugin <= 4.0.11 - Server Side Request Forgery (SSRF) vulnerability CVE-2024-32718 WordPress The Pack Elementor addons plugin <= 2.0.8.2 - Server Side Request Forgery (SSRF) vulnerability

Identifiers

CVE CVE-2026-5530

CWE CWE-918

CVSS 5.3 / MEDIUM

Affected versions

Vendor N/A

Product Ollama

Affected 18.0

Vendor N/A

Product Ollama

Affected 18.1