CVE-2026-28400

Name of the Vulnerable Software and Affected Versions Docker Model Runner versions prior to 1.0.16 Docker Desktop versions prior to 4.61.0 (when Model Runner is enabled)

Description Docker Model Runner is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST /engines/ configure endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llama.cpp). By injecting the --log-file flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at model-runner.docker.internal without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (Docker.raw), resulting in the destruction of all containers, images, volumes, and build history. In specific configurations and with user interaction, it is possible to convert this into a container escape.

Recommendations Versions prior to 1.0.16: Update to version 1.0.16 or later. Docker Desktop versions prior to 4.61.0: Update to version 4.61.0 or later. As a workaround, enable Enhanced Container Isolation (ECI) to block container access to Model Runner. If the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.