25,000 AI servers are sitting on the public internet right now with no password required.
A security researcher scanning for publicly accessible Ollama instances - the popular open-source software for running AI language models on your own hardware - found roughly 25,000 of them globally as of April 2026. That's up from 1,139 instances that Cisco Talos identified just seven months earlier in September 2025. A 22-fold increase in less than a year.
About 7,600 of those exposed servers (30% of the global total) sit inside EU member states. Germany alone accounts for 3,550 - putting it third worldwide behind China and the United States. The servers are concentrated on major European cloud providers: Hetzner, Contabo, and OVH.
No Lock on the Door
Ollama's API - the interface that lets software communicate with the server - was not designed for public internet exposure. It has no authentication. Anyone who finds one of these servers can send commands without providing credentials. The researcher confirmed this by successfully deleting a model from an exposed instance: the server returned a "200 OK" status and removed the model without asking for a username or password.
The attack surface goes well beyond deletion. The exposed API lets anyone:
- Download new AI models onto the server (at the owner's bandwidth and storage cost)
- Delete existing models
- Create custom models with attacker-controlled system prompts
- Run unlimited AI inference - using the server's GPU as free private compute at the owner's expense
Tenable's security scanner rates "Ollama Unauthenticated Access" as Critical with a CVSS score of 10.0 - the maximum possible score on the standard vulnerability severity scale. That rating has been in Tenable's Nessus scanner since March 2026.
The exposed EU servers in the researcher's sample were running models including llama3.2:3b and smollm2:135m. Some were running more demanding quantized model formats that require NVIDIA H100 or H200-class GPUs - hardware that costs tens of thousands of dollars. Between 8 and 12% of servers were actively handling AI requests at any given time the researcher checked.
Who Set This Up
The cloud providers where most of these servers live have been actively marketing self-hosted AI inference. Hetzner, Contabo, and OVH all publish tutorials and offer one-click deployment templates for running Ollama. What they haven't paired with those tutorials is mandatory security guidance. A new user can have a running AI server in minutes - but nothing in the default setup forces them to put a firewall in front of it.
The fix is not complicated: configure Ollama to only accept connections from the local machine (binding to localhost), or route it through a VPN like Tailscale before exposing it externally. If public access is genuinely necessary, an authenticated reverse proxy handles it. None of this is difficult. The problem is that nothing in the default deployment requires any of it.
The Regulatory Complication
For EU businesses, there's a specific problem layered on top of the security one. NIS2, DORA, and GDPR - the three major EU cybersecurity and data protection frameworks - all assume you can identify who operates a service and understand what data it processes. An exposed Ollama instance makes that impossible from the outside. There's no way to tell whether a given server is a student's side project, a startup processing customer data, or a regulated financial institution running production AI workloads.
A company using an exposed Ollama instance to process customer data - even through an accidental misconfiguration - may be violating GDPR without knowing it. Regulators have no obvious mechanism to distinguish the hobby project from the compliance liability.
The researcher is planning quarterly rescans to track how the numbers move. Given a 22x increase in seven months, there's no basis for expecting the count to plateau.
Anyone running Ollama outside their local machine should check whether port 11434 is reachable from the internet. If it is, they have the same problem as these 25,000 servers.