CVE-2026-5817

HIGH 8.2

Docker Model Runner container-to-host code execution via unsandboxed trust_remote_code in Python inference backends

CVSS Score

8.2

EPSS Score

0.0%

EPSS Percentile

3th

The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Desktop user when inference is triggered. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model and request inference.

CWE	CWE-829
Vendor	docker
Product	docker desktop
Ecosystems	Container
Industries	Technology
Published	May 22, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for docker docker desktop

Be the first to know when new high vulnerabilities affecting docker docker desktop are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Docker / Docker Desktop

4.62.0 < 4.68.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.docker.com: https://docs.docker.com/desktop/release-notes/#4680

Credits

David Rochester (@davidrxchester) Nicholas Gould (@gouldnicholas)