-
Notifications
You must be signed in to change notification settings - Fork 516
[GHSA-f6mr-38g8-39rg] Ollama Platform has missing authentication enabling attackers to perform model management operations #6571
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
JonathanLEvans
commented
Dec 23, 2025
Hi @Ankush-Pathak,
My understanding is that Ollama is not patched yet so the current range is accurate. Do you have a link showing that 0.12.4 is fixed?
Ankush-Pathak
commented
Dec 23, 2025
It says in the description of the CVE, A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3 and see Affected Versions: <= v0.12.3 here
Ankush-Pathak
commented
Dec 23, 2025
Oh I see what you're saying. I don't find any indication of a fix in the changelog for 0.12.4.
The description of the CVE must then be updated to not mention the version to avoid confusion.
JonathanLEvans
commented
Dec 23, 2025
GitHub did not assign the CVE so we cannot make changes to it. If you want, you can contact MITRE about changing the description.
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.
Updates
Comments
According to https://gist.github.com/Cristliu/48dae561696374744d9fced07a544ecd,
Affected Versions: <= v0.12.3