Security Advisory: CVE-2026-5817 — Docker Model Runner Arbitrary Code Execution via Unsandboxed trust_remote_code Tokenizer Loading
Security Advisory: CVE-2026-5817 — Docker Model Runner Arbitrary Code Execution via Unsandboxed trust_remote_code Tokenizer Loading
- Apple’s Native Linux Container Tool Has Arrived — But Can It Really Replace Docker?
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- What is the best alternative to Microsoft Office?
Security Advisory: CVE-2026-5817 — Docker Model Runner Arbitrary Code Execution via Unsandboxed trust_remote_code Tokenizer Loading
Docker has officially disclosed CVE-2026-5817, a high-severity code execution vulnerability in the Docker Model Runner’s vllm-metal inference backend on macOS. The backend unconditionally enables trust_remote_code=True when loading model tokenizers, and runs without any sandbox isolation. Any container on the Docker internal network can exploit this by calling the model-runner.docker.internal API to pull a crafted malicious model and trigger inference — executing arbitrary Python code on the Docker Desktop host under the current user’s privileges.
01 Vulnerability Root Cause
The vulnerability originates in how the vllm-metal inference backend handles tokenizer loading. When a model inference is triggered, Docker Model Runner calls transformers.AutoTokenizer.from_pretrained() with the trust_remote_code=True flag hardcoded and unconditional. This instructs the Hugging Face Transformers library to import and execute arbitrary Python files bundled within the model package — including any attacker-supplied malicious scripts.
Critically, this code execution path runs entirely outside any sandbox or isolation boundary. The process executes directly on the Docker Desktop host with the full privileges of the Docker Desktop user account. There is no prompt, no user confirmation, and no security check before execution occurs.
Important technical correction: the vulnerable step involves the model tokenizer (via AutoTokenizer.from_pretrained()), not a “model segmenter” as sometimes described. The CWE classification is CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) — not CWE-94 — reflecting that the issue is the unconditional loading of untrusted remote code rather than direct code injection.
02 Attack Flow
AI model with embedded
Python payload
image registry (public
or attacker-controlled)
model-runner.docker
.internal APIand loads the model;
tokenizer initialised
on host — no sandbox,
host user privileges
The attack surface is notably wide: any container on the Docker internal network can call the model-runner API — no privileged access, no external network exposure, and no user interaction are required to trigger the exploit once a malicious model is reachable.
03 Affected Environments
Confirm Exposure
- ✗ Docker Desktop running on macOS (any chip) with Docker Model Runner enabled
- ✗ Docker Desktop version prior to 4.68.0
- ✗ Environments where any container can reach
model-runner.docker.internal - ✗ Workflows that pull models from OCI registries during inference
- ✗ Local AI development and model-testing environments on Mac
Not affected: Docker Desktop on Windows or Linux is not impacted by this specific vulnerability, as the vllm-metal backend is a macOS-only inference backend. Docker Engine (without Desktop) is also not affected.
04 Remediation
Upgrade Docker Desktop (Recommended — Definitive Fix)
Docker has patched CVE-2026-5817 in Docker Desktop 4.68.0. The fix removes the unconditional trust_remote_code=True flag from the tokenizer loading path and introduces sandbox isolation for model inference execution. Upgrade immediately via Docker Desktop → Check for Updates, or download directly from the official Docker website. After upgrading, restart Docker Desktop and verify the version reflects 4.68.0 or later.
Temporary Mitigations (If Immediate Upgrade Is Not Possible)
Disable Model Runner entirely if AI inference is not currently needed — this eliminates the attack surface completely. Restrict container network access to the model-runner.docker.internal interface. Enforce strict model source controls and pull only from self-hosted, audited registries. Avoid pulling models from external or unknown OCI sources. Audit Docker service logs for unexpected model pull events or inference calls, and check the host for anomalous Python processes.
Enhanced Container Isolation (ECI)
Docker Desktop’s Enhanced Container Isolation (ECI) feature blocks container access to Model Runner, effectively preventing exploitation. Enabling ECI in Docker Desktop Settings → Security is a strong defence-in-depth measure both before and after patching.
05 Self-Check: Are You at Risk?
Run Through These Checks Now
- → Version check: Open Docker Desktop → About Docker Desktop. Is the version below 4.68.0? Upgrade immediately.
- → Model Runner status: Is Docker Model Runner enabled under Settings → Features in development? If unused, disable it now.
- → Log review: Inspect Docker service logs for unfamiliar model pull requests or inference calls, especially from containers you didn’t initiate.
- → Process audit: Check the host for anomalous Python processes or unexpected background programs that appeared during Docker usage.
-
→
Network access: Confirm whether all containers on your Docker network can freely reach
model-runner.docker.internal. If yes, restrict access. - ✓ Safe state: Docker Desktop 4.68.0+ installed, Model Runner updated, ECI enabled, untrusted model sources blocked.
06 Related Vulnerabilities
This advisory is one of a cluster of Docker Model Runner security disclosures in early 2026. A companion vulnerability, CVE-2026-5843, addresses a similar container-to-host code execution issue in the MLX inference backend (via MLX-LM model_file importlib loading), patched in Docker Desktop 4.71.0. A separate issue, CVE-2026-33990, covers an SSRF vulnerability in Docker Model Runner’s OCI registry token exchange flow, patched in Model Runner version 1.1.25. Organisations using Docker Model Runner should audit all three vulnerabilities and ensure their Docker Desktop installation is current.
