CVE-2026-33990: CWE-918: Server-Side Request Forgery (SSRF) in docker model-runner
Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Prior to version 1.1.25, Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., http://127.0.0.1:3000/), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header. This issue has been patched in version 1.1.25. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.
AI Analysis
Technical Summary
Docker Model Runner (DMR) before version 1.1.25 has an SSRF vulnerability (CWE-918) in its OCI registry token exchange process. When pulling models, DMR follows the realm URL from the registry's WWW-Authenticate header without validating its scheme, hostname, or IP range. A malicious OCI registry can set this realm to an internal URL (e.g., http://127.0.0.1:3000/), causing DMR running on the host to send arbitrary GET requests to internal services. The full response body from these internal services is reflected back to the attacker. Additionally, the token exchange can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header. This vulnerability is fixed in version 1.1.25. Docker Desktop's Enhanced Container Isolation (ECI) feature blocks container access to Model Runner, mitigating exploitation, but exposure of Model Runner to localhost over TCP in certain configurations remains a risk.
Potential Impact
An attacker controlling a malicious OCI registry can exploit this SSRF vulnerability to make Docker Model Runner send arbitrary GET requests to internal services on the host. This can lead to unauthorized disclosure of internal service responses to the attacker. The attacker can also relay data from internal services back to their registry via the Authorization header. This could potentially expose sensitive internal information. The vulnerability requires local or low-privilege access (AV:L, PR:L) and has no user interaction requirement. The CVSS 4.0 base score is 6.8 (medium severity). No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade Docker Model Runner to version 1.1.25 or later, where this SSRF vulnerability is patched. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) prevents container access to Model Runner and mitigates exploitation. Avoid exposing Docker Model Runner to localhost over TCP in configurations that allow external access, as this can still permit exploitation despite ECI. Patch status is confirmed fixed in version 1.1.25.
CVE-2026-33990: CWE-918: Server-Side Request Forgery (SSRF) in docker model-runner
Description
Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Prior to version 1.1.25, Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., http://127.0.0.1:3000/), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header. This issue has been patched in version 1.1.25. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Docker Model Runner (DMR) before version 1.1.25 has an SSRF vulnerability (CWE-918) in its OCI registry token exchange process. When pulling models, DMR follows the realm URL from the registry's WWW-Authenticate header without validating its scheme, hostname, or IP range. A malicious OCI registry can set this realm to an internal URL (e.g., http://127.0.0.1:3000/), causing DMR running on the host to send arbitrary GET requests to internal services. The full response body from these internal services is reflected back to the attacker. Additionally, the token exchange can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header. This vulnerability is fixed in version 1.1.25. Docker Desktop's Enhanced Container Isolation (ECI) feature blocks container access to Model Runner, mitigating exploitation, but exposure of Model Runner to localhost over TCP in certain configurations remains a risk.
Potential Impact
An attacker controlling a malicious OCI registry can exploit this SSRF vulnerability to make Docker Model Runner send arbitrary GET requests to internal services on the host. This can lead to unauthorized disclosure of internal service responses to the attacker. The attacker can also relay data from internal services back to their registry via the Authorization header. This could potentially expose sensitive internal information. The vulnerability requires local or low-privilege access (AV:L, PR:L) and has no user interaction requirement. The CVSS 4.0 base score is 6.8 (medium severity). No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade Docker Model Runner to version 1.1.25 or later, where this SSRF vulnerability is patched. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) prevents container access to Model Runner and mitigates exploitation. Avoid exposing Docker Model Runner to localhost over TCP in configurations that allow external access, as this can still permit exploitation despite ECI. Patch status is confirmed fixed in version 1.1.25.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T22:20:06.211Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69cd7224e6bfc5ba1dee83ef
Added to database: 4/1/2026, 7:29:40 PM
Last enriched: 4/9/2026, 10:39:12 PM
Last updated: 5/21/2026, 7:10:07 PM
Views: 142
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.