CVE-2026-28400: CWE-749: Exposed Dangerous Method or Function in docker model-runner
Docker Model Runner versions prior to 1. 0. 16 expose an unauthenticated POST endpoint that allows attackers with network access to inject arbitrary runtime flags to the underlying inference server. This can be exploited to overwrite arbitrary files accessible to the Model Runner process, including critical Docker Desktop VM disk files, potentially destroying containers, images, volumes, and build history. The vulnerability is fixed in Docker Model Runner 1. 0. 16 and Docker Desktop 4. 61. 0. A workaround involves enabling Enhanced Container Isolation to block container access to Model Runner, though certain configurations exposing Model Runner over localhost TCP remain vulnerable.
AI Analysis
Technical Summary
CVE-2026-28400 is a high-severity vulnerability in Docker Model Runner versions before 1.0.16. It arises from an exposed POST /engines/_configure endpoint that accepts arbitrary runtime flags without authentication. Attackers with network access can inject the --log-file flag to write or overwrite files accessible to the Model Runner process. When Docker Model Runner is bundled with Docker Desktop (enabled by default since version 4.46.0), this endpoint is reachable from any default container via model-runner.docker.internal without authentication. Exploitation can lead to overwriting the Docker Desktop VM disk file (Docker.raw), causing loss of all containers, images, volumes, and build history. Under specific configurations and with user interaction, this vulnerability may enable container escape. The issue is resolved in Docker Model Runner 1.0.16 and Docker Desktop 4.61.0. Enabling Enhanced Container Isolation (ECI) can mitigate the risk by blocking container access to Model Runner, though exposure over localhost TCP may still be exploitable.
Potential Impact
Successful exploitation allows an attacker with network access to the Model Runner API to overwrite arbitrary files accessible by the Model Runner process. In Docker Desktop environments, this can result in destruction of the Docker VM disk file, leading to complete loss of containers, images, volumes, and build history. Additionally, under certain configurations and with user interaction, the vulnerability may enable container escape, compromising container isolation. The CVSS score of 7.6 reflects high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fixed version of Docker Model Runner is available in version 1.0.16, and Docker Desktop users should upgrade to version 4.61.0 or later, which includes the patched Model Runner. As a workaround, enabling Enhanced Container Isolation (ECI) in Docker Desktop blocks container access to Model Runner and prevents exploitation. However, if the Model Runner API is exposed over localhost TCP in specific configurations, the vulnerability remains exploitable, so users should avoid such exposure. Users should consult the Docker advisory for detailed remediation steps and confirm their environment is updated accordingly.
CVE-2026-28400: CWE-749: Exposed Dangerous Method or Function in docker model-runner
Description
Docker Model Runner versions prior to 1. 0. 16 expose an unauthenticated POST endpoint that allows attackers with network access to inject arbitrary runtime flags to the underlying inference server. This can be exploited to overwrite arbitrary files accessible to the Model Runner process, including critical Docker Desktop VM disk files, potentially destroying containers, images, volumes, and build history. The vulnerability is fixed in Docker Model Runner 1. 0. 16 and Docker Desktop 4. 61. 0. A workaround involves enabling Enhanced Container Isolation to block container access to Model Runner, though certain configurations exposing Model Runner over localhost TCP remain vulnerable.
CVSS v3.1
Score 7.6high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-28400 is a high-severity vulnerability in Docker Model Runner versions before 1.0.16. It arises from an exposed POST /engines/_configure endpoint that accepts arbitrary runtime flags without authentication. Attackers with network access can inject the --log-file flag to write or overwrite files accessible to the Model Runner process. When Docker Model Runner is bundled with Docker Desktop (enabled by default since version 4.46.0), this endpoint is reachable from any default container via model-runner.docker.internal without authentication. Exploitation can lead to overwriting the Docker Desktop VM disk file (Docker.raw), causing loss of all containers, images, volumes, and build history. Under specific configurations and with user interaction, this vulnerability may enable container escape. The issue is resolved in Docker Model Runner 1.0.16 and Docker Desktop 4.61.0. Enabling Enhanced Container Isolation (ECI) can mitigate the risk by blocking container access to Model Runner, though exposure over localhost TCP may still be exploitable.
Potential Impact
Successful exploitation allows an attacker with network access to the Model Runner API to overwrite arbitrary files accessible by the Model Runner process. In Docker Desktop environments, this can result in destruction of the Docker VM disk file, leading to complete loss of containers, images, volumes, and build history. Additionally, under certain configurations and with user interaction, the vulnerability may enable container escape, compromising container isolation. The CVSS score of 7.6 reflects high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A fixed version of Docker Model Runner is available in version 1.0.16, and Docker Desktop users should upgrade to version 4.61.0 or later, which includes the patched Model Runner. As a workaround, enabling Enhanced Container Isolation (ECI) in Docker Desktop blocks container access to Model Runner and prevents exploitation. However, if the Model Runner API is exposed over localhost TCP in specific configurations, the vulnerability remains exploitable, so users should avoid such exposure. Users should consult the Docker advisory for detailed remediation steps and confirm their environment is updated accordingly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-27T15:33:57.288Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69a20bf332ffcdb8a2748332
Added to database: 2/27/2026, 9:26:11 PM
Last enriched: 5/26/2026, 8:24:57 PM
Last updated: 5/29/2026, 7:02:16 PM
Views: 463
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.