NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← All engagement records

Case study May 1, 2026

Keio University: Unauthenticated Ollama, Dual Cloud Proxy, 122B Model

Bill Rondell, Nick Adams & Dade Murphy — May 1, 2026 — case study — 1 min read — 263 words
Sector
Universities
Country
keio

NuClide Research · 2026-05-01

Summary

Keio University (Japan) server with 8 Ollama models including two DeepSeek cloud proxy subscriptions and a 122-billion-parameter Qwen3.5 MoE model. Raw Ollama port publicly accessible without authentication. Cloud proxies require a higher-tier subscription (returned upgrade prompt, no credential leak). Full model injection surface via CVE-2025-63389.

Infrastructure

FieldValue
IP131.113.41.213
OrgKeio University
CountryJapan
Open WebUI131.113.37.67:3000, v0.3.32, auth=True (different IP)
Open ports11434 (Ollama, public)

Models

ModelSizeNotes
deepseek-v4-pro:cloud0 GB☁️ Cloud proxy, DeepSeek Pro API
deepseek-v4-flash:cloud0 GB☁️ Cloud proxy, DeepSeek Flash API
qwen3.5:122b75 GBLocal, 122B MoE
qwen3-coder-next:latest48 GBLocal, coding model
qwen3.6:35b22 GBLocal
qwen3.6:latest22 GBLocal
gemma4:31b18 GBLocal
gemma4:31b-nvfp418 GBLocal (NV FP4 quantization)

Findings

F1: Unauthenticated Ollama API (CRITICAL)

Port 11434 publicly accessible. All 8 models enumerable without credentials.

F2: Dual DeepSeek Cloud Proxy Subscriptions (HIGH)

Two DeepSeek cloud proxy models registered. Subscription tier check returned:

{
  "error": "this model requires a subscription, upgrade for access: https://ollama.com/upgrade",
  "ref": "684df060-4e09-4e03-a76d-c07d04eb77c9"
}

Cloud proxy models exist and are registered, quota drain is gated behind subscription tier, not external access control. A subscription-bearing Ollama account could call these directly.

F3: 122B-Parameter Free Inference (HIGH)

Any actor can run inference on qwen3.5:122b (75GB) without authentication:

curl http://131.113.41.213:11434/api/generate \
  -d '{"model":"qwen3.5:122b","prompt":"...","stream":false}'

Free compute at operator’s hardware expense.

F4: Model Injection (CRITICAL)

All models injectable via CVE-2025-63389. Affects students/staff using the Open WebUI frontend at 131.113.37.67:3000.

Remediation

OLLAMA_HOST=127.0.0.1:11434
systemctl restart ollama

Disclosure

  • Discovered: 2026-05-01
  • Status: Pending outreach to Keio University IT