CVE-2026-33990

Name of the Vulnerable Software and Affected Versions Docker Model Runner versions prior to 1.1.25 Docker Desktop versions prior to 4.67.0

Description The software contains a Server-Side Request Forgery (SSRF) issue within the OCI registry token exchange process. When retrieving a model, the software does not properly validate the scheme, hostname, or IP range of the realm URL obtained from the registry's WWW-Authenticate header. This allows a malicious OCI registry to redirect requests to internal URLs, such as http://127.0.0.1:3000/, enabling arbitrary GET requests to internal services. The response from these internal services is then returned to the caller, and data can be relayed back to the attacker-controlled registry via the Authorization: Bearer header.

Recommendations Update Docker Model Runner to version 1.1.25 or later. Update Docker Desktop to version 4.67.0 or later. As a temporary workaround, enable Enhanced Container Isolation (ECI) to block container access to the Model Runner, but note that this does not fully mitigate the issue if the Docker Model Runner is exposed to localhost over TCP.