Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-5817

Summary
Assigner-Docker
Assigner Org ID-686469e6-3ff6-451b-ab8b-cf5b9e89401e
Published At-22 May, 2026 | 19:24
Updated At-22 May, 2026 | 19:24
Rejected At-
Credits

Docker Model Runner container-to-host code execution via unsandboxed trust_remote_code in Python inference backends

The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Desktop user when inference is triggered. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model and request inference.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Docker
Assigner Org ID:686469e6-3ff6-451b-ab8b-cf5b9e89401e
Published At:22 May, 2026 | 19:24
Updated At:22 May, 2026 | 19:24
Rejected At:
▼CVE Numbering Authority (CNA)
Docker Model Runner container-to-host code execution via unsandboxed trust_remote_code in Python inference backends

The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Desktop user when inference is triggered. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model and request inference.

Affected Products
Vendor
Docker, Inc.Docker
Product
Docker Desktop
Platforms
  • MacOS
Default Status
unaffected
Versions
Affected
  • From 4.62.0 before 4.68.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-829CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Type: CWE
CWE ID: CWE-829
Description: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Metrics
VersionBase scoreBase severityVector
4.08.8HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
3.18.2HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Version: 4.0
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-480CAPEC-480 Escaping Virtualization
CAPEC ID: CAPEC-480
Description: CAPEC-480 Escaping Virtualization
Solutions
Configurations

Docker Model Runner enabled with the vllm-metal inference backend on macOS

Workarounds

Disable Docker Model Runner or only run trusted containers on Docker Desktop instances where Model Runner is enabled.

Exploits
Credits
finder
David Rochester (@davidrxchester)
finder
Nicholas Gould (@gouldnicholas)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://docs.docker.com/desktop/release-notes/#4680
release-notes
Hyperlink: https://docs.docker.com/desktop/release-notes/#4680
Resource:
release-notes
Information is not available yet

Similar CVEs

2Records found
CVE-2026-5843
Matching Score-10
Assigner-Docker Inc.
ShareView Details
Matching Score-10
Assigner-Docker Inc.
CVSS Score-8.8||HIGH
EPSS-Not Assigned
Published-22 May, 2026 | 19:28
Updated-22 May, 2026 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Docker Model Runner container-to-host code execution via MLX-LM model_file importlib loading

The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model's config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker host as the Docker Desktop user. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference.

Action-Not Available
Vendor-Docker, Inc.
Product-Docker Desktop
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-6406
Matching Score-8
Assigner-Docker Inc.
ShareView Details
Matching Score-8
Assigner-Docker Inc.
CVSS Score-8.8||HIGH
EPSS-Not Assigned
Published-22 May, 2026 | 18:32
Updated-23 May, 2026 | 03:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Docker Desktop Enhanced Container Isolation bypass via --use-api-socket CLI flag

The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pass unchecked. This grants a container full access to the Docker Engine socket and, if the host user has logged in to container registries, their authentication credentials. A local attacker with the ability to run Docker CLI commands can exploit this to escape ECI restrictions, access the Docker Engine, and potentially escalate privileges.

Action-Not Available
Vendor-Docker, Inc.
Product-Docker Desktop
CWE ID-CWE-863
Incorrect Authorization
Details not found