A growing number of servers running the open-source large language model (LLM) platform Ollama are directly exposed to the internet, creating a potentially vast and largely ungoverned layer of AI compute. Researchers at SentinelLABS and Censys identified over 175,000 unique Ollama hosts across 130 countries, observing them over a 293-day period. This exposure, they argue, isn’t necessarily the result of newly discovered vulnerabilities in the software itself, but rather configuration choices made by operators.
Ollama is designed to run locally by default, accessible only from the same machine. However, its documentation details how to change the bind address using the OLLAMA_HOST variable, which can expose the service to a network. While intended for specific use cases, the researchers found that widespread adoption of this configuration has created a significant internet-facing surface. This is particularly concerning because of the potential for unintended workloads and abuse.
The researchers noted a “core” population of consistently online nodes, suggesting the existence of a stable infrastructure beyond hobbyist servers. This persistence is crucial, as it changes the economics for potential attackers. Reliable access allows for repeated use, iterative attacks, and more sophisticated operational planning, rather than relying on sporadic, opportunistic attempts.
A key risk highlighted by the research is the prevalence of tool-calling capabilities advertised by a large share of the observed hosts. Tool-calling allows LLMs to invoke external APIs or system functions, expanding their functionality beyond simple text generation. This shifts the threat model from concerns about “bad text” – such as misinformation – to the potential for malicious actions performed by the model itself. This aligns with emerging security concerns in the LLM space, including prompt injection attacks, where attackers manipulate model instructions to override intended behavior and potentially disclose sensitive information.
The Open Web Application Security Project (OWASP) actively tracks these risks as top-tier concerns for LLM applications.
Independent research corroborates these findings. A study by Cisco, using the Shodan search engine, discovered over 1,100 exposed Ollama servers, reinforcing the need for baseline security controls around LLM deployments. While the scale of the Cisco study differs from the SentinelLABS/Censys investigation, the trend is consistent: local-first LLM tooling is frequently deployed on networks without adequate security hardening.
Beyond infrastructure exposure, the researchers also analyzed system prompts visible through some API responses. They discovered at least 201 hosts running standardized “uncensored” prompt templates, which explicitly remove or weaken built-in safety instructions. The researchers acknowledge this is a lower bound due to limitations in their visibility.
Attribution of these exposed hosts presents a significant challenge. While internet scanning can identify endpoints, determining the accountable owners is often difficult due to incomplete or unclear hosting details. The geographic distribution of these exposures further complicates governance, with China accounting for approximately 30% of exposed hosts and the United States following at just over 20%.
This attribution friction highlights a broader policy reality: the creation of open-source model capability is concentrated in a small number of labs, but the decisions about deployment are distributed across countless downstream operators. This fragmentation makes consistent risk management difficult.
The National Institute of Standards and Technology’s (NIST) AI Risk Management Framework emphasizes risk management as a lifecycle discipline spanning development and deployment. This becomes particularly challenging when the deployment layer is fragmented and unevenly governed. Similarly, MITRE’s SAFE-AI guidance recommends treating exposed LLM endpoints like other internet-facing services, advocating for the implementation of authentication, network segmentation, monitoring, and the principle of least privilege.
The researchers emphasize that the risk isn’t tied to a specific software flaw, but rather to widespread exposure choices. As of , the scale of exposed Ollama instances represents a growing challenge for security professionals and a potential avenue for malicious actors to exploit the rapidly evolving landscape of large language models.
