CVE-2026-28400 (GCVE-0-2026-28400)

Vulnerability from cvelistv5 – Published: 2026-02-27 21:06 – Updated: 2026-03-03 20:30
VLAI?
Title
Docker Model Runner Unauthenticated Runtime Flag Injection via _configure Endpoint
Summary
Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_configure` endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llama.cpp). By injecting the --log-file flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at model-runner.docker.internal without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (`Docker.raw` ), resulting in the destruction of all containers, images, volumes, and build history. However, in specific configurations and with user interaction, it is possible to convert this vulnerability in a container escape. The issue is fixed in Docker Model Runner 1.0.16. Docker Desktop users should update to 4.61.0 or later, which includes the fixed Model Runner. A workaround is available. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.
Severity ?
7.6 (High)
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE
  • CWE-749 - Exposed Dangerous Method or Function
Assigner
References
Impacted products
Vendor Product Version
docker model-runner Affected: < 1.0.16
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28400",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-03T20:30:23.572316Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-03T20:30:39.966Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "model-runner",
          "vendor": "docker",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a  POST `/engines/_configure`  endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llama.cpp). By injecting the  --log-file  flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at  model-runner.docker.internal  without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (`Docker.raw` ), resulting in the destruction of all containers, images, volumes, and build history. However, in specific configurations and with user interaction, it is possible to convert this vulnerability in a container escape. The issue is fixed in Docker Model Runner 1.0.16. Docker Desktop users should update to 4.61.0 or later, which includes the fixed Model Runner. A workaround is available. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-749",
              "description": "CWE-749: Exposed Dangerous Method or Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-27T21:06:12.418Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/docker/model-runner/security/advisories/GHSA-m456-c56c-hh5c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/docker/model-runner/security/advisories/GHSA-m456-c56c-hh5c"
        },
        {
          "name": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-28379",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-28379"
        }
      ],
      "source": {
        "advisory": "GHSA-m456-c56c-hh5c",
        "discovery": "UNKNOWN"
      },
      "title": "Docker Model Runner Unauthenticated Runtime Flag Injection via _configure Endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28400",
    "datePublished": "2026-02-27T21:06:12.418Z",
    "dateReserved": "2026-02-27T15:33:57.288Z",
    "dateUpdated": "2026-03-03T20:30:39.966Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-28400",
      "date": "2026-04-18",
      "epss": "0.00018",
      "percentile": "0.04682"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28400\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-27T22:16:23.160\",\"lastModified\":\"2026-03-02T20:30:10.923\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a  POST `/engines/_configure`  endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llama.cpp). By injecting the  --log-file  flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at  model-runner.docker.internal  without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (`Docker.raw` ), resulting in the destruction of all containers, images, volumes, and build history. However, in specific configurations and with user interaction, it is possible to convert this vulnerability in a container escape. The issue is fixed in Docker Model Runner 1.0.16. Docker Desktop users should update to 4.61.0 or later, which includes the fixed Model Runner. A workaround is available. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.\"},{\"lang\":\"es\",\"value\":\"Docker Model Runner (DMR) es un software utilizado para gestionar, ejecutar e implementar modelos de IA usando Docker. Las versiones anteriores a la 1.0.16 exponen un endpoint POST `/engines/_configure` que acepta flags de tiempo de ejecuci\u00f3n arbitrarios sin autenticaci\u00f3n. Estos flags se pasan directamente al servidor de inferencia subyacente (llama.cpp). Al inyectar el flag --log-file, un atacante con acceso de red a la API de Model Runner puede escribir o sobrescribir archivos arbitrarios accesibles para el proceso de Model Runner. Cuando se incluye con Docker Desktop (donde Model Runner est\u00e1 habilitado por defecto desde la versi\u00f3n 4.46.0), es accesible desde cualquier contenedor predeterminado en model-runner.docker.internal sin autenticaci\u00f3n. En este contexto, la sobrescritura de archivos puede apuntar al disco de la VM de Docker Desktop (\u0027Docker.raw\u0027), lo que resulta en la destrucci\u00f3n de todos los contenedores, im\u00e1genes, vol\u00famenes e historial de compilaci\u00f3n. Sin embargo, en configuraciones espec\u00edficas y con interacci\u00f3n del usuario, es posible convertir esta vulnerabilidad en un escape de contenedor. El problema est\u00e1 solucionado en Docker Model Runner 1.0.16. Los usuarios de Docker Desktop deben actualizar a la versi\u00f3n 4.61.0 o posterior, que incluye el Model Runner corregido. Una soluci\u00f3n alternativa est\u00e1 disponible. Para los usuarios de Docker Desktop, habilitar el Aislamiento Mejorado de Contenedores (ECI) bloquea el acceso de los contenedores a Model Runner, evitando la explotaci\u00f3n. Sin embargo, si Docker Model Runner est\u00e1 expuesto a localhost a trav\u00e9s de TCP en configuraciones espec\u00edficas, la vulnerabilidad sigue siendo explotable.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-749\"}]}],\"references\":[{\"url\":\"https://github.com/docker/model-runner/security/advisories/GHSA-m456-c56c-hh5c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.zerodayinitiative.com/advisories/ZDI-CAN-28379\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28400\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-03T20:30:23.572316Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-03T20:30:30.999Z\"}}], \"cna\": {\"title\": \"Docker Model Runner Unauthenticated Runtime Flag Injection via _configure Endpoint\", \"source\": {\"advisory\": \"GHSA-m456-c56c-hh5c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"docker\", \"product\": \"model-runner\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.16\"}]}], \"references\": [{\"url\": \"https://github.com/docker/model-runner/security/advisories/GHSA-m456-c56c-hh5c\", \"name\": \"https://github.com/docker/model-runner/security/advisories/GHSA-m456-c56c-hh5c\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://www.zerodayinitiative.com/advisories/ZDI-CAN-28379\", \"name\": \"https://www.zerodayinitiative.com/advisories/ZDI-CAN-28379\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a  POST `/engines/_configure`  endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llama.cpp). By injecting the  --log-file  flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at  model-runner.docker.internal  without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (`Docker.raw` ), resulting in the destruction of all containers, images, volumes, and build history. However, in specific configurations and with user interaction, it is possible to convert this vulnerability in a container escape. The issue is fixed in Docker Model Runner 1.0.16. Docker Desktop users should update to 4.61.0 or later, which includes the fixed Model Runner. A workaround is available. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-749\", \"description\": \"CWE-749: Exposed Dangerous Method or Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-27T21:06:12.418Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-28400\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-03T20:30:39.966Z\", \"dateReserved\": \"2026-02-27T15:33:57.288Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-27T21:06:12.418Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.