CVE-2026-28400 - Vulnerability Details

- Docker Model Runner Unauthenticated Runtime Flag Injection via _configure Endpoint

Description

Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_configure` endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llama.cpp). By injecting the --log-file flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at model-runner.docker.internal without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (`Docker.raw` ), resulting in the destruction of all containers, images, volumes, and build history. However, in specific configurations and with user interaction, it is possible to convert this vulnerability in a container escape. The issue is fixed in Docker Model Runner 1.0.16. Docker Desktop users should update to 4.61.0 or later, which includes the fixed Model Runner. A workaround is available. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.

Published: 2026-02-27

Score: 7.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Docker Model Runner provides a POST /engines/_configure endpoint that accepts any runtime flag without authentication. An attacker who can reach the endpoint can inject arbitrary flags – for example --log-file – causing the underlying inference server to create or overwrite files that are accessible to the Model Runner process. This allows an unauthenticated attacker to corrupt or delete files on the host, potentially destroying Docker Desktop VM disks and all containers, images, and volumes. In certain environments with user interaction, the flaw can be extended to a container escape, giving the attacker broader host control.

Affected Systems

The vulnerability exists in Docker Model Runner versions earlier than 1.0.16. Docker Desktop releases from 4.46.0 onward bundle Model Runner enabled by default, exposing the API to any container via the internal DNS name model-runner.docker.internal. The endpoint is also reachable if the Model Runner API is explicitly exposed at localhost over TCP. Attackers with network connectivity to the API can exploit these configurations.

Risk and Exploitability

The CVSS score of 7.6 reflects a high impact exploit, but the EPSS score of less than 1% indicates a low current probability of attack. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs network access to the Model Runner API; the flaw is unauthenticated, making it straightforward to craft requests. The attacker can overwrite critical files such as Docker.raw, causing loss of all Docker data, or in specific setups perform a container escape. The presence of an exposed TCP endpoint further increases the attack surface.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

docker

model-runner

affected

Version	Status	Constraints
`< 1.0.16`	affected	—

No data.

Vendor Product Confidence Versions

Docker

Model-runner

100%

Version	Status	Scheme	Platform
`[0,1.0.16)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to Docker Model Runner 1.0.16 or Docker Desktop 4.61.0 and later, which include the fix.
If an update is not yet possible, enable Enhanced Container Isolation in Docker Desktop to block container access to the Model Runner API.
As a temporary measure, disable or restrict localhost/TCP exposure of the Model Runner endpoint so that the API is not reachable from the host network.

Generated by OpenCVE AI on April 16, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/docker/model-runner/security/advisories/GHSA-m456-c56c-hh5c
https://www.zerodayinitiative.com/advisories/ZDI-CAN-28379

History

Tue, 03 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Docker Docker model-runner
Vendors & Products		Docker Docker model-runner

Fri, 27 Feb 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_configure` endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llama.cpp). By injecting the --log-file flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at model-runner.docker.internal without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (`Docker.raw` ), resulting in the destruction of all containers, images, volumes, and build history. However, in specific configurations and with user interaction, it is possible to convert this vulnerability in a container escape. The issue is fixed in Docker Model Runner 1.0.16. Docker Desktop users should update to 4.61.0 or later, which includes the fixed Model Runner. A workaround is available. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.
Title		Docker Model Runner Unauthenticated Runtime Flag Injection via _configure Endpoint
Weaknesses		CWE-749
References		https://github.com/docker/model-runner/security/advisories/GHSA-m456-c56c-hh5c https://www.zerodayinitiative.com/advisories/ZDI-CAN-28379
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

Docker Model-runner

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-27T21:06:12.418Z

Updated: 2026-03-03T20:30:39.966Z

Reserved: 2026-02-27T15:33:57.288Z

Link: CVE-2026-28400

Vulnrichment

Updated: 2026-03-03T20:30:30.999Z

NVD

Status : Deferred

Published: 2026-02-27T22:16:23.160

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-28400

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses

CWE-749

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object