Exploiting open Ollama instances for free LLM inference (defcon.social)

Researchers and security reporters highlighted a wave of publicly accessible Ollama servers—instances of the popular open-source model-serving tool—that had their HTTP APIs exposed to the Internet without authentication. That misconfiguration let anyone send inference requests to hosted models, effectively getting free LLM compute and interacting with privately run models. The discovery was framed as an operational security issue rather than a software bug: attackers didn’t need exotic exploits, only network access to unauthenticated endpoints. The incident matters because it underscores a class of risks unique to self-hosted ML infra: cost theft (unmetered inference), data leakage from prompts or context, and the ability to probe or mount model-extraction and membership-inference attacks against exposed models. Technically, the root cause is network and deployment configuration—open API endpoints on cloud VMs, containers, or local hosts—rather than the model code. Practical implications include enforcing network-level access controls, enabling authentication and TLS for serving endpoints, applying rate limits and logging, isolating sensitive data, and hardening deployment templates. For teams running private model servers, this is a timely reminder that standard ops/security practices (firewalls, reverse proxies, auth tokens) are essential to protect compute budgets, data, and model IP.