VDB

CISA-2025-51471

CISA-2025-51471 PUBLISHED CVSS 6.9 MEDIUM

Reported by mitre · Published July 22, 2025

Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint.

Risk Scores

CVSS 3.1
6.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Affected Products

VendorProductVersions
n/an/an/a
n/an/an/a, n/a

Timeline

  • Jul 22, 2025 CVE Published
  • Oct 17, 2025 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›