Docker Model Runner (DMR) is a tool designed to manage, run, and deploy AI models using Docker containers. In versions prior to 1.1.25, DMR contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-33990, CWE-918) in its OCI registry token exchange mechanism. When pulling a model, DMR processes the realm URL provided in the registry's WWW-Authenticate header to obtain authentication tokens. However, it fails to validate the URL's scheme, hostname, or IP range, allowing a malicious OCI registry to specify an internal URL such as http://127.0.0.1:3000/. Consequently, DMR running on the host can be tricked into making arbitrary HTTP GET requests to internal services that are otherwise inaccessible externally. The full response body from these internal services is then reflected back to the attacker-controlled registry, effectively leaking sensitive internal data. Additionally, the token exchange process can relay data from internal services back to the attacker via the Authorization: Bearer header, potentially exposing authentication tokens or other sensitive information. Docker Desktop users benefit from Enhanced Container Isolation (ECI), which blocks container access to Model Runner and mitigates exploitation. However, if Model Runner is exposed over localhost TCP in certain configurations, the vulnerability remains exploitable. The issue has been addressed and patched in version 1.1.25. The CVSS 4.0 base score is 6.8, reflecting a medium severity level due to the requirement of local access and limited attack complexity but high impact on confidentiality. No known exploits have been reported in the wild as of the publication date.

This SSRF vulnerability allows attackers controlling a malicious OCI registry to coerce Docker Model Runner into making unauthorized HTTP requests to internal network services on the host machine. This can lead to unauthorized disclosure of sensitive internal data, including potentially sensitive API responses, metadata, or authentication tokens. The reflected responses can be used to gather intelligence about internal infrastructure, facilitating further attacks such as lateral movement or privilege escalation. For organizations deploying AI models with Docker Model Runner, especially in environments where the service is exposed on localhost TCP, this vulnerability could expose internal services that are otherwise protected by network segmentation or firewalls. The impact is particularly significant in environments where internal services contain sensitive business logic, credentials, or personally identifiable information. Although exploitation requires some level of local or container access, the ability to leak internal data remotely via the token exchange flow increases the attack surface. The vulnerability could also undermine trust in the supply chain if attackers compromise or impersonate OCI registries. Overall, the vulnerability poses a medium risk to confidentiality and internal network security, with limited impact on integrity or availability.

1. Upgrade Docker Model Runner to version 1.1.25 or later, where the SSRF vulnerability has been patched with proper validation of the realm URL. 2. For Docker Desktop users, enable Enhanced Container Isolation (ECI) to prevent containers from accessing the Model Runner service, effectively blocking exploitation. 3. Avoid exposing Docker Model Runner over localhost TCP interfaces unless strictly necessary; if exposure is required, implement strict access controls and network segmentation to limit access to trusted users and services. 4. Monitor network traffic and logs for unusual outbound HTTP requests originating from Model Runner processes, especially requests to internal IP ranges or localhost addresses. 5. Validate and restrict the use of OCI registries to trusted sources only, reducing the risk of interacting with malicious registries that could exploit this vulnerability. 6. Implement network-level protections such as firewall rules to restrict Model Runner's ability to reach internal services that are not intended to be accessed externally. 7. Conduct regular security audits and penetration tests focusing on containerized AI model deployment environments to detect similar SSRF or token exchange vulnerabilities. 8. Educate DevOps and security teams about the risks of SSRF in containerized environments and the importance of secure configuration management.