CVE-2026-5817 (GCVE-0-2026-5817)

Vulnerability from cvelistv5 – Published: 2026-05-22 19:24 – Updated: 2026-05-22 19:24
VLAI
Title
Docker Model Runner container-to-host code execution via unsandboxed trust_remote_code in Python inference backends
Summary
The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Desktop user when inference is triggered. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model and request inference.
Severity
8.8 (High)
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
8.2 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE
  • CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
Impacted products
Vendor Product Version
Docker Docker Desktop Affected: 4.62.0 , < 4.68.0 (semver)
Create a notification for this product.
Credits
David Rochester (@davidrxchester) Nicholas Gould (@gouldnicholas)
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "MacOS"
          ],
          "product": "Docker Desktop",
          "vendor": "Docker",
          "versions": [
            {
              "lessThan": "4.68.0",
              "status": "affected",
              "version": "4.62.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Docker Model Runner enabled with the vllm-metal inference backend on macOS"
            }
          ],
          "value": "Docker Model Runner enabled with the vllm-metal inference backend on macOS"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "David Rochester (@davidrxchester)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Nicholas Gould (@gouldnicholas)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets \u003ccode\u003etrust_remote_code=True\u003c/code\u003e when loading model tokenizers, and runs without sandboxing. This causes \u003ccode\u003etransformers.AutoTokenizer.from_pretrained()\u003c/code\u003e to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Desktop user when inference is triggered.\u003cbr\u003e\u003cbr\u003eAny container on the Docker network can trigger this by calling the \u003ccode\u003emodel-runner.docker.internal\u003c/code\u003e API to pull a malicious model and request inference."
            }
          ],
          "value": "The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Desktop user when inference is triggered.\n\nAny container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model and request inference."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-480",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-480 Escaping Virtualization"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-829",
              "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T19:24:15.662Z",
        "orgId": "686469e6-3ff6-451b-ab8b-cf5b9e89401e",
        "shortName": "Docker"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://docs.docker.com/desktop/release-notes/#4680"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Docker Model Runner container-to-host code execution via unsandboxed trust_remote_code in Python inference backends",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Disable Docker Model Runner or only run trusted containers on Docker Desktop instances where Model Runner is enabled."
            }
          ],
          "value": "Disable Docker Model Runner or only run trusted containers on Docker Desktop instances where Model Runner is enabled."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "686469e6-3ff6-451b-ab8b-cf5b9e89401e",
    "assignerShortName": "Docker",
    "cveId": "CVE-2026-5817",
    "datePublished": "2026-05-22T19:24:15.662Z",
    "dateReserved": "2026-04-08T15:34:05.200Z",
    "dateUpdated": "2026-05-22T19:24:15.662Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-5817",
      "date": "2026-05-26",
      "epss": "0.00014",
      "percentile": "0.02591"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.