CVE-2026-28400
Unauthenticated File Overwrite in Docker Model Runner via Runtime Flags
Publication date: 2026-02-27
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| docker | model_runner | to 1.0.16 (exc) |
| docker | docker_desktop | From 4.61.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-749 | The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Docker Model Runner (DMR) versions prior to 1.0.16 have a vulnerability in the POST `/engines/_configure` endpoint that accepts arbitrary runtime flags without requiring authentication.
These flags are passed directly to the underlying inference server (llama.cpp), allowing an attacker with network access to inject the --log-file flag to write or overwrite arbitrary files accessible to the Model Runner process.
When used with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), this endpoint is reachable from any default container at model-runner.docker.internal without authentication.
This can lead to overwriting the Docker Desktop VM disk file (`Docker.raw`), destroying all containers, images, volumes, and build history.
In some configurations and with user interaction, this vulnerability can be escalated to a container escape.
The issue is fixed in Docker Model Runner 1.0.16 and Docker Desktop 4.61.0 or later.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with network access to the Model Runner API to overwrite arbitrary files accessible to the Model Runner process.
In Docker Desktop environments, this can result in the destruction of all containers, images, volumes, and build history by overwriting the Docker Desktop VM disk file (`Docker.raw`).
Additionally, in certain configurations and with user interaction, the vulnerability can be exploited to escape from a container, potentially compromising the host system.
This can lead to significant data loss, service disruption, and unauthorized access to the host environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Docker Model Runner to version 1.0.16 or later.
Docker Desktop users should update to version 4.61.0 or later, which includes the fixed Model Runner.
As a workaround, enable Enhanced Container Isolation (ECI) in Docker Desktop to block container access to Model Runner, preventing exploitation.
Be aware that if Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability may still be exploitable.