QSearchQSearch

CVE-2026-5817

8.2 HIGH

The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizer...

Published: 2026-05-22 · Last updated: 2026-06-01

Severity and scoring

CVSS
8.2 HIGH
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE
CWE-829

Affected products

VendorProduct
dockerdocker_desktop

Description

The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Desktop user when inference is triggered. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model and request inference.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-42306 Moby is an open source container framework (7.2 HIGH)
  • CVE-2026-41568 Moby is an open source container framework (6.1 MEDIUM)
  • CVE-2026-5843 The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary P... (8.2 HIGH)
  • CVE-2026-6406 The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop (8.8 HIGH)
  • CVE-2026-34040 Moby is an open source container framework (8.8 HIGH)

Same CWE

  • CVE-2026-42089 Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved (8.6 HIGH)
  • CVE-2026-48124 Cursor is a code editor built for programming with AI
  • CVE-2026-12057 When the application executes the JavaScript script embedded in the PDF within the sandbox, it fails to intercept some dangerous interfac... (8.6 HIGH)
  • CVE-2026-53810 OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading towar... (8.8 HIGH)
  • CVE-2026-52858 Vim is an open source, command line text editor (7.8 HIGH)