Description
The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model's config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker host as the Docker Desktop user.

Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference.
Published: 2026-05-22
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MLX inference backend in Docker Model Runner on macOS imports and executes arbitrary Python files listed in a model’s configuration, without any sandboxing or trust guard. Because the loader uses importlib unconditionally, a malicious model can contain code that runs as the Docker Desktop user, giving an attacker full control of the host machine's file system and resources.

Affected Systems

Docker Desktop on macOS with the Model Runner feature enabled is affected. Any container that accesses the Model Runner API can trigger the vulnerability by loading a model that points to a malicious Python file.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8 and is not currently listed in the CISA KEV catalog. Its exploitability relies on an attacker-controlled OCI registry from which a container can pull a malicious model and then activate inference via the model‑runner.docker.internal API. Any container on the Docker network can initiate this, so the risk is significant for environments that run untrusted containers with Model Runner enabled.

Generated by OpenCVE AI on May 22, 2026 at 21:22 UTC.

Remediation

Vendor Workaround

Disable Docker Model Runner or only run trusted containers on Docker Desktop instances where Model Runner is enabled.

OpenCVE Recommended Actions

  • Disable Docker Model Runner or ensure it runs only trusted containers on instances where the feature is enabled.
  • Upgrade Docker Desktop to a version that includes the fix released after version 47.10, as detailed in Docker’s release notes.
  • If a patch is unavailable, block external OCI registries or restrict network access to the model‑runner.docker.internal endpoint to prevent malicious models from being retrieved.

Generated by OpenCVE AI on May 22, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Docker
Docker docker Desktop
Vendors & Products Docker
Docker docker Desktop

Fri, 22 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model's config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker host as the Docker Desktop user. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference.
Title Docker Model Runner container-to-host code execution via MLX-LM model_file importlib loading
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Docker Docker Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: Docker

Published:

Updated: 2026-05-22T19:28:38.857Z

Reserved: 2026-04-08T17:43:50.508Z

Link: CVE-2026-5843

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T21:30:16Z

Weaknesses