CVE-2026-5843 Overview
CVE-2026-5843 is an arbitrary code execution vulnerability in the MLX inference backend of Docker Model Runner on macOS. The backend relies on the MLX-LM library, which unconditionally imports and executes Python files referenced by the model_file field in a model's config.json. No trust_remote_code gate or equivalent safety check exists. The MLX backend runs without sandboxing, so attacker-supplied code executes on the Docker host as the Docker Desktop user. Any container on the Docker network can trigger the flaw by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference. The weakness is tracked under CWE-829: Inclusion of Functionality from Untrusted Control Sphere.
Critical Impact
A malicious model pulled through Docker Model Runner achieves arbitrary code execution on the macOS Docker host, fully compromising the Docker Desktop user context.
Affected Products
- Docker Desktop on macOS with Docker Model Runner enabled (versions prior to 4.71.0)
- MLX inference backend in Docker Model Runner
- MLX-LM library integration shipped with Docker Model Runner
Discovery Timeline
- 2026-05-22 - CVE-2026-5843 published to NVD
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-5843
Vulnerability Analysis
Docker Model Runner exposes an inference API at model-runner.docker.internal reachable from any container on the Docker network. On macOS, the MLX backend loads models using the MLX-LM library. MLX-LM reads config.json from the model directory and resolves the model_file field to a Python module path. The library then calls importlib to load that module, which causes Python to execute any top-level code in the referenced file.
Because MLX-LM lacks a trust_remote_code opt-in flag and Docker Model Runner does not validate model contents, an attacker can publish a malicious model to any OCI registry. When that model is pulled and an inference request is issued, the attacker's Python code runs in the MLX backend process. The MLX backend runs unsandboxed on the host, so code executes with the privileges of the Docker Desktop user. Attackers can read user files, write to the user's home directory, harvest credentials, and pivot to other developer assets.
Root Cause
The root cause is unsafe inclusion of functionality from an untrusted control sphere [CWE-829]. MLX-LM treats model directory contents as trusted code and uses importlib to load arbitrary Python files declared in config.json. Docker Model Runner inherits this behavior without imposing sandboxing, signature verification, or a remote-code-execution consent gate.
Attack Vector
The attack is local to the Docker host but trivially reachable from any container sharing the Docker network. An attacker stages a malicious model on an OCI registry whose config.json sets model_file to a Python file containing malicious payloads. The attacker calls the Model Runner API to pull the model and issues an inference request. MLX-LM imports the Python file, executing the payload as the Docker Desktop user. No user interaction is required beyond running a hostile container or building from a hostile image.
No verified public exploit code is available. See the Docker Release Notes for 4.71.0 for vendor remediation details.
Detection Methods for CVE-2026-5843
Indicators of Compromise
- Unexpected outbound pulls from Docker Model Runner to unfamiliar OCI registries or repositories.
- config.json files in model directories that reference .py files via the model_file field.
- Child processes spawned by the MLX backend that perform shell execution, network egress, or file system enumeration outside model inference paths.
- New or modified files in the Docker Desktop user's home directory shortly after a model pull or inference request.
Detection Strategies
- Inspect cached model directories under Docker Model Runner storage for Python files referenced by config.json.
- Monitor API calls to model-runner.docker.internal originating from containers that should not perform inference.
- Alert on importlib activity within the MLX backend process that loads files outside the MLX-LM package path.
- Correlate model pull events with subsequent process, file, and network activity on the macOS host.
Monitoring Recommendations
- Enable endpoint telemetry on macOS developer workstations to capture process lineage from Docker Desktop helper processes.
- Log all OCI registry pulls triggered by Docker Model Runner and review for non-approved registries.
- Track inference requests and source container identity through Docker daemon logs.
How to Mitigate CVE-2026-5843
Immediate Actions Required
- Upgrade Docker Desktop to version 4.71.0 or later on all macOS hosts running Model Runner.
- Disable Docker Model Runner on macOS hosts where MLX inference is not required.
- Restrict which containers can reach model-runner.docker.internal by segmenting Docker networks.
- Audit existing cached models for config.json entries that reference .py files and remove untrusted models.
Patch Information
Docker addressed the issue in Docker Desktop 4.71.0. Refer to the Docker Desktop 4.71.0 release notes for the official fix and upgrade guidance.
Workarounds
- Disable the MLX backend in Docker Model Runner configuration until the host is patched.
- Pull models only from trusted, internally controlled OCI registries and block egress to public registries from inference networks.
- Run Docker Desktop under a least-privileged macOS user account to limit blast radius if exploitation occurs.
- Prevent untrusted containers from joining the default Docker network shared with Model Runner.
# Verify Docker Desktop version meets the patched release
docker version --format '{{.Server.Version}}'
# Disable Docker Model Runner until patched (macOS)
docker desktop disable model-runner
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
