Docker Model Runner (DMR) is a component used to manage and deploy AI models within Docker environments. Versions before 1.0.16 contain a critical vulnerability (CVE-2026-28400) due to an exposed POST /engines/_configure endpoint that accepts arbitrary runtime flags without requiring authentication. These flags are forwarded directly to the underlying inference server (llama.cpp), enabling an attacker with network access to inject flags such as --log-file. This injection allows arbitrary file write or overwrite operations within the file system accessible to the Model Runner process. When Docker Model Runner is integrated with Docker Desktop (enabled by default since version 4.46.0), the vulnerable endpoint is accessible from any default container via the internal DNS name model-runner.docker.internal without authentication, significantly broadening the attack surface. Exploiting this can lead to overwriting the Docker Desktop VM disk file (Docker.raw), effectively destroying all containers, images, volumes, and build history, causing severe data loss and service disruption. Furthermore, in specific configurations combined with user interaction, this vulnerability can be escalated to a container escape, allowing attackers to break out of container isolation. The vulnerability has a CVSS v3.1 score of 7.6 (high severity), reflecting its impact on confidentiality, integrity, and availability, as well as the complexity of exploitation requiring local network access and some user interaction. The issue was addressed in Docker Model Runner 1.0.16 and Docker Desktop 4.61.0. As a mitigation, enabling Enhanced Container Isolation (ECI) prevents containers from accessing Model Runner, blocking exploitation. However, if Model Runner is exposed over localhost TCP in certain configurations, the vulnerability remains exploitable. No known active exploits have been reported to date.

The vulnerability allows attackers with network access to the Docker Model Runner API to write or overwrite arbitrary files, potentially leading to complete destruction of Docker Desktop VM storage and all associated containers, images, volumes, and build history. This results in significant data loss and operational downtime. Additionally, under specific conditions, the flaw can be leveraged for container escape, compromising container isolation and potentially allowing attackers to execute code on the host system. This undermines the confidentiality, integrity, and availability of affected systems. Organizations relying on Docker Desktop with AI model deployments using Model Runner are at risk of severe disruption, data loss, and potential lateral movement within their infrastructure. The requirement for network access and some user interaction limits remote exploitation but does not eliminate risk, especially in multi-tenant or developer environments where containers and Docker Desktop are widely used.

1. Upgrade Docker Model Runner to version 1.0.16 or later and Docker Desktop to version 4.61.0 or later to obtain the official patch. 2. Enable Enhanced Container Isolation (ECI) in Docker Desktop to block container access to the Model Runner service, preventing exploitation from containers. 3. Audit and restrict network access to the Model Runner API, ensuring it is not exposed over TCP on localhost or any network interfaces accessible to untrusted users or containers. 4. Implement strict firewall rules and network segmentation to limit access to Docker Desktop management interfaces and internal services. 5. Monitor Docker Desktop and Model Runner logs for unusual POST requests to /engines/_configure or unexpected runtime flag injections. 6. Educate users and administrators about the risks of running untrusted containers and the importance of applying updates promptly. 7. Consider disabling or restricting the use of Model Runner if AI model deployment is not required in the environment. 8. Regularly back up Docker Desktop VM data and container images to enable recovery in case of destructive attacks.