CVE-2026-5817 Overview
CVE-2026-5817 affects the vllm-metal inference backend in Docker Model Runner on macOS. The backend unconditionally sets trust_remote_code=True when loading model tokenizers and runs without sandboxing. This configuration causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files bundled inside any model pulled from an Open Container Initiative (OCI) registry. Triggering inference on a malicious model results in arbitrary code execution on the Docker host under the Docker Desktop user account. Any container on the Docker network can invoke the model-runner.docker.internal API to pull a hostile model and request inference, exposing the host to lateral compromise from untrusted workloads.
Critical Impact
Any container on the Docker network can achieve arbitrary code execution on the macOS host as the Docker Desktop user by requesting inference on a malicious OCI model.
Affected Products
- Docker Desktop for macOS — Docker Model Runner with the vllm-metal inference backend
- Hosts running containers with access to model-runner.docker.internal
- Workflows that pull models from untrusted OCI registries
Discovery Timeline
- 2026-05-22 - CVE-2026-5817 published to the National Vulnerability Database (NVD)
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-5817
Vulnerability Analysis
The vllm-metal backend loads tokenizers through the Hugging Face transformers library. It calls AutoTokenizer.from_pretrained() with trust_remote_code=True hardcoded. That parameter instructs transformers to import Python modules shipped alongside the model files. Any *.py file referenced by the tokenizer or model configuration executes inside the Docker Model Runner process. Because the backend also runs without an enforcing sandbox, code executes with the privileges of the Docker Desktop user on the host. The flaw maps to CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
Root Cause
The backend hardcodes trust_remote_code=True instead of gating the option behind explicit operator consent or registry allow-listing. Docker Model Runner treats every OCI model as trusted input, even when pulled on demand by an untrusted container. The absence of sandboxing around the inference worker removes the second layer of defense that would otherwise contain code embedded in a model package.
Attack Vector
The attack requires local network reachability to the Docker Model Runner API. A malicious container on the Docker network calls model-runner.docker.internal to pull a crafted model from an attacker-controlled OCI registry. The model package includes Python files that execute during tokenizer initialization. When the attacker then triggers inference, the hostile code runs on the macOS host as the Docker Desktop user. The attacker gains access to user files, credentials, SSH keys, and any Docker socket the user can reach. Refer to the Docker Release Notes #4680 for vendor-supplied technical context.
Detection Methods for CVE-2026-5817
Indicators of Compromise
- Unexpected outbound pulls from the Docker Model Runner process to unknown OCI registries
- New Python child processes spawned by Docker Model Runner outside of expected model directories
- Modifications to user-owned files (~/.ssh, ~/.aws, keychain access) following a model pull
- API calls from containers to model-runner.docker.internal referencing unfamiliar model identifiers
Detection Strategies
- Inspect process telemetry on macOS for Python interpreters launched by Docker Model Runner with arguments pointing to model cache directories.
- Correlate OCI registry pull events with subsequent file system writes or network egress from the Docker Desktop user context.
- Alert on container-originated HTTP requests to model-runner.docker.internal/v1/models that reference registries outside an approved list.
Monitoring Recommendations
- Log all Docker Model Runner API calls, including the requesting container, model reference, and inference endpoint.
- Capture process lineage for Docker Desktop helper processes and forward to a centralized analytics platform.
- Monitor egress from the macOS host for connections to unfamiliar container registries.
How to Mitigate CVE-2026-5817
Immediate Actions Required
- Upgrade Docker Desktop for macOS to the release referenced in Docker Release Notes #4680.
- Disable Docker Model Runner on hosts that do not require local inference until patched.
- Restrict which containers can reach model-runner.docker.internal by tightening Docker network policies.
- Audit recently pulled models and remove any sourced from untrusted registries.
Patch Information
Docker addressed the issue in the Docker Desktop release documented in the Docker Release Notes #4680. The fix removes the unconditional trust_remote_code=True setting in the vllm-metal backend. Apply the update on all macOS developer workstations that run Docker Desktop.
Workarounds
- Block container access to the Docker Model Runner API by placing sensitive workloads on isolated user-defined networks.
- Pull models only from internal, signed OCI registries and verify model contents before use.
- Run Docker Desktop under a dedicated, low-privilege macOS account that lacks access to developer secrets.
# Configuration example: restrict container access to the Model Runner API
# Run untrusted workloads on an isolated network with no access to host-internal DNS
docker network create --driver bridge --internal isolated-net
docker run --rm --network isolated-net untrusted/image:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
