Docker Model Runner (DMR) is a component used to manage and deploy AI models within Docker environments. Versions before 1.0.16 contain a critical vulnerability (CVE-2026-28400) due to an exposed POST /engines/_configure API endpoint that accepts arbitrary runtime flags without requiring authentication. These flags are passed directly to the underlying inference server (llama.cpp). An attacker with network access to this API can inject the --log-file flag to write or overwrite arbitrary files accessible to the Model Runner process. When Docker Model Runner is bundled with Docker Desktop (enabled by default since version 4.46.0), this endpoint is reachable from any default container via model-runner.docker.internal without authentication. This allows an attacker to overwrite the Docker Desktop VM disk file (Docker.raw), which stores all containers, images, volumes, and build history, effectively destroying the Docker environment. Furthermore, under specific configurations and with user interaction, this vulnerability can be leveraged for container escape, allowing an attacker to break out of container isolation. The issue is resolved in Docker Model Runner 1.0.16 and Docker Desktop 4.61.0 or later, which include the patched Model Runner. As a mitigation, enabling Enhanced Container Isolation (ECI) prevents containers from accessing Model Runner, blocking exploitation. However, if Model Runner is exposed over localhost TCP in certain setups, the vulnerability remains exploitable. The CVSS v3.1 score is 7.6, reflecting high severity due to the potential for complete compromise of Docker environments, requiring low privileges but some user interaction and network access.

This vulnerability poses a significant risk to organizations using Docker Desktop with Model Runner enabled, particularly versions prior to 4.61.0. Exploitation can lead to arbitrary file overwrite, resulting in destruction of all Docker containers, images, volumes, and build history, causing severe availability and integrity impacts. Confidentiality is also at risk if attackers can modify or inject malicious files. The potential for container escape in certain configurations elevates the threat, as attackers could gain unauthorized access to the host system, compromising broader infrastructure. This can disrupt development, CI/CD pipelines, and production environments relying on containerized AI workloads. Organizations may face operational downtime, data loss, and increased attack surface for further exploitation. The requirement for network access and some user interaction limits remote exploitation but does not eliminate risk, especially in multi-tenant or developer environments. The vulnerability affects both individual developers and enterprises using Docker Desktop and AI model deployments, making it critical to address promptly.

1. Immediately update Docker Model Runner to version 1.0.16 or later and Docker Desktop to version 4.61.0 or newer to obtain the official patch. 2. Enable Enhanced Container Isolation (ECI) in Docker Desktop to block container access to the Model Runner service, preventing exploitation even if the vulnerability exists. 3. Audit and restrict network access to the Model Runner API endpoint, especially blocking exposure over localhost TCP or any network interfaces accessible by untrusted containers or users. 4. Implement strict network segmentation and firewall rules to limit access to Docker internal services. 5. Monitor Docker environments for unusual POST requests to /engines/_configure or unexpected file modifications related to Model Runner. 6. Educate users about the risks of interacting with untrusted containers or services that might exploit this vulnerability. 7. For environments where immediate patching is not possible, consider disabling Model Runner if feasible or isolating Docker Desktop usage to trusted networks only. 8. Regularly review container and host logs for signs of exploitation attempts or anomalous behavior related to file overwrites or container escapes.