Too much open-source AI is exposing itself to the web • The Register

https://www.theregister.com/2026/02/01/opensource_ai_is_a_global/

Publish Date: 2026-02-01 18:40:00

Infosec in Brief As if AI weren’t enough of a security concern, now researchers have discovered that open-source AI deployments may be an even bigger problem than those from commercial providers.

Threat researchers at SentinelLABS teamed up with internet mappers from Censys to take a look at the footprint of Ollama deployments exposed to the internet, and what they found was a global network of largely homogenous, open-source AI deployments just waiting for the right zero-day to come along.

175,108 unique Ollama hosts in 130 countries were found exposed to the public internet, with the vast majority of instances found to be running Llama, Qwen2, and Gemma2 models, most of those relying on the same compression choices and packaging regimes. That, says the pair, suggests open-source AI deployments have become a monoculture ripe for exploitation.

“A vulnerability in how specific quantized models handle tokens could affect a substantial portion of the exposed ecosystem simultaneously rather than manifesting as isolated incidents,” the duo said in their writeup.

To make matters worse, many of the exposed Ollama instances had tool-calling capabilities via API endpoints enabled, vision capabilities, and uncensored prompt templates that lacked safety guardrails. Because they’re not managed by a large AI company, SentinelLABS and Censys warned, those exposures likely aren’t being tracked by anyone, meaning exploitation could go unnoticed.

The greatest risks, per the pair, include resource hijacking due to no centralized oversight, remote execution of privileged operations due to lack of guardrails and exposed API endpoints, and identity laundering by directing malicious traffic through victim infrastructure.

The key lesson, the pair point out, is to start treating AI, open source or not, like any other critical…

Source