§ THE STACK / MODEL LAYER

Ollama

Local-LLM runtime, no auth by design

The runtime that actually executes the model: where the weights run.

What it is

Ollama is the easiest way to run a large language model on your own hardware. One binary, one command: ollama pull llama3 and you have a local OpenAI-style API on port 11434. It pulls quantised model weights from its own registry, manages the GPU layout, and serves an OpenAI-compatible chat endpoint. It is genuinely beautifully engineered, and it is the reason most of the world’s self-hosted AI exists.

What goes wrong

The framework has no authentication concept by design. The maintainers’ position is that auth is an upstream concern (run it behind a reverse proxy, behind Tailscale, behind your firewall). Most operators don’t. Any host running Ollama on a public IP is a free, unauthenticated, unlimited model endpoint: an attacker can list the model inventory at /api/tags, chat through /api/chat, and even pull arbitrary new models via /api/pull, which silently downloads gigabytes onto the operator’s disk and bills any attached cloud egress.

How we test

We hit /api/tags to enumerate the loaded models (this is the population-scale fingerprint behind our cross-cloud surveys), capture the response, and attribute via the kind of models loaded: a host serving gemma3:e4b and nothing else is a hobbyist; a host serving fifteen fine-tuned variants of llama3:70b with custom Modelfiles is a commercial operator. We do not issue chat completions. We do not call /api/pull. The model inventory tells the whole story.

Receipts

Research

Every survey, case study, and disclosure we've published that touches this layer of the stack. Counts on the cells above tally these directly.

Cross-cloud surveys

Survey May 15, 2026

Ollama Population Survey: Shodan-Walk (2026-05-15)

Re-survey of the Ollama exposure surface, walked on Shodan rather than via masscan-on-cloud-prefixes. The prior two surveys (5.38M IPs across six tier-1+2 clouds) found 1,192 confirmed unauth Ollama.…

Ollama

What it is

What goes wrong

How we test

Ollama Population Survey: Shodan-Walk (2026-05-15)

Chrome DevTools Protocol, browser-automation backend cloud survey 2026-05-14

Ollama on Tier-2 Cloud: Auth Posture Survey (Scope Expansion)

Ollama on Public Cloud: Auth Posture Survey

Case Study: Ollama Unauthenticated Exposure: Enterprise Targets

NCKU Edge Host: a Kubernetes Control Plane Behind a MikroTik Gateway

San Diego Supercomputer Center: Public Ollama on `compute.cloud.sdsc.edu` — 53-Model Inventory + `:cloud`-suffix Cloud-Proxy Class

ollama launch claude-desktop: Gateway-mode MITM by default + community-tutorial typosquat surface

University of Alberta: CS Dept GPU Server, gpt-oss:120b, Coding Stack

University of Nicosia: DeepSeek V4 Pro Cloud Proxy, Unauthenticated Inference

Forskningsnettet (Danish Research and Education Network): Two Nodes, v0.3.0 Ancient + v0.22.0 Current

Kumamoto University: Account Takeover, MiniMax Cloud Proxy (CS Architecture Lab)

Waseda University: Account Takeover (`tokoko`), Custom DeepSeek Academic/JP Models, qwen3-vl:235b

University of Rwanda: Qwen3.5 + Qwen3.6 27B, College of Education Campus

Technical University of Košice: MedGemma 54GB, Abliterated Qwen3.6-35B, Turkish LLM, RAG Stack

National Chengchi University: Taiwan National AI Models (TAIDE) Exposed on V100×4 Server

National Tsing Hua University: TAIDE-NPC Model, Qwen3.6:35b

TANet Abliterated Model Cluster: `gemma4-crack-fixed`, Multiple Safety-Bypassed Models

Taiwan Ministry of Education Computer Center (TANet): Account Takeover, Default `ollama` Credentials

Binh Duong University: Account Takeover, Contabo VPS (`itu.edu.vn`)

UC Berkeley: Residential Hall Machine, qwen2.5:32b Public

University of California, San Diego (UCSD): Large Local Models + Cloud Proxies

University of Maine: 69GB Uncensored 122B Model + 18 Cloud Subscriptions, ECE Server

Pemerintah Provinsi Kalimantan Utara: Account Takeover, Claude-Distilled Model

AWS GovCloud: Unauthenticated Ollama, Custom JOSIE AI, DeepSeek + MiniMax Cloud Proxy

Bangladesh Research and Education Network (BdREN): Unauthenticated Inference Node

Algerian Academic Research Network (ARN): Unauthenticated Inference Node

Informatics and Telematics Institute (ITI): Mistral Small 24B, vcl.iti.gr

India NIB (National Internet Backbone / BSNL): 2-Node Cluster, 32B Coder

Morocco ONPT: National Telecom Operator Ollama Node

Malaysia Ministry of Education (EMISC): Unauthenticated Ollama Node

ICI Bucharest: 2-Node Cluster, Cloud Proxy + Abliterated Models

Taiwan Academic Network (TANet): 18-Node Cluster, 1 Account Takeover, Multi-Institution

emails-pro.fr: French Commercial Appointment-Booking SaaS: Full System Prompt + PII Collection Pattern Exposed

Thailand Ministry of Public Health: Unauthenticated Ollama with Vision Model

City of Cartersville, GA: Local Government Ollama + Cloud Proxy Credential Leak

Meriwether Lewis Electric Cooperative: 235B-Parameter Model on Unauthenticated Ollama

Institute for Informatics and Automation Problems, Armenia: Dual Cloud Proxy + Docker Credential Leak

Monash University: 3-Node Cluster, DeepSeek V3.1 671B, Cloud Proxies

CEFET/RJ (Centro Federal de Educação Tecnológica Celso Suckow da Fonseca): 17-Model Brazilian Portuguese AI Stack

University of Manitoba: CS Department GPU Server, Deep Research Stack

University of Western Ontario: 2-Node Cluster, Account Takeover on Node 2

Shandong Medical Graduate School: 376GB DeepSeek + Abliterated R1-Distill + Credential Leak

University of Hertfordshire: RobotHouse Dev Server, gpt-oss Cloud Proxy 200 OK

Shiv Nadar University: 7-Node Cluster, Chest X-Ray AI + Abliterated Models + 30+ Cloud Subscriptions

Jomo Kenyatta University of Agriculture and Technology: Cloud Proxy Exposure

KRENA (Kyrgyz Research and Education Network): 433GB GLM-5.1, DeepSeek Cloud Proxy

INHA University: Ollama Stack + vLLM Node

POSTECH: 11-Node Cluster, 18+ Cloud Subscriptions, 6 Account Takeovers + Synchrotron Beamline + Essential AI Model

Seoul National University: 3-Node Cluster, Cloud Proxy + Credential Leak (user: node1)

Yonsei University: 17 Cloud Subscriptions on Non-Standard Port, Free-Tier 200 OK

Lanka Education and Research Network (LEARN): Credential Leak (user: modelserver)

COMSATS University: Medical AI Models, Kimi Cloud Proxy

Technical University of Łódź (TUL): DeepSeek-R1:32B, Cross-Network Custom Model

ITMO University, Russia: 24 Models, gpt-oss:20b + gpt-oss:120b Cloud Proxies

KTH Royal Institute of Technology: Dual-Node Unauthenticated Ollama, Abliterated Model Running as Root

Umeå University: GPU Research Server (gpuhost02)

University of Žilina: Student Laptop with 3 Free-Tier Cloud Proxies (200 OK)

Chulalongkorn University: Three Cloud Proxies + Credential Leak (Kimi K2.6, DeepSeek, Qwen)

National Cheng Kung University (NCKU): RTX 3090 GPU Server, Non-Standard Port, Credential Leak

NCU / TANet Taoyuan: Production Medical Scheduling SaaS System Prompt Fully Exposed

National Taiwan University: GPU Cluster g1pc2n108, Multimodal Vision Stack

Hanoi University: 18 Cloud Proxy Subscriptions + Credential Leak (Containerized Deployment)

Vietnam National University Hanoi: Domain-Specific Distilled Models

Vietnam National University Ho Chi Minh City: final-exploit-v1 + gpt-oss Cloud Proxy

UC Davis: Large Local Models + Claude 4.6 Opus-Distilled

Duke University: Unauthenticated Agentic Ollama with File Inspection Tools

SUNY Stony Brook: Biology Department, OLMo Research Stack + Cloud Proxy

Egypt NREN (ENSTINET): Custom Arabic Uncensored Models, Non-Standard Port, CVE-2025-63389

Ollama Launch Claude Desktop Gateway Disclosure

Am Armenian Academy Resend

Disclosure Outcomes: 2026-05-04 Bulk Send

Pk Comsats Resend

Tw Fju Medph Resend

Vn Vnu Hanoi Resend

In Shiv Nadar