Skip to main content

Docker CVE-2026-33990

| EUVDEUVD-2026-17963 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-30 https://github.com/docker/model-runner GHSA-x2f5-332j-9xwq
Medium
Disputed · 6.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
GitHub Advisory PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 30, 2026 - 17:15 euvd
EUVD-2026-17963
Analysis Generated
Mar 30, 2026 - 17:15 vuln.today
CVE Published
Mar 30, 2026 - 17:08 nvd
MEDIUM 6.8

DescriptionGitHub Advisory

Summary

Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., http://127.0.0.1:3000/), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header.

Patches

Fixed in Docker Model Runner v1.1.25 Docker Desktop users should update to 4.67.0 or later, which includes the fixed Model Runner.

Workarounds

For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.

Impact

An unprivileged container or a malicious OCI registry that the user performed a pull from might issue GET requests to host-local services (localhost, internal network)

AnalysisAI

Server-side request forgery in Docker Model Runner allows unprivileged containers or malicious OCI registries to make arbitrary GET requests to internal services by exploiting unvalidated realm URLs in the OCI registry token exchange flow. Affected versions prior to 1.1.25 (Docker Desktop prior to 4.67.0) permit attackers to access host-local services and reflect response bodies back to the caller, potentially exfiltrating sensitive data from internal endpoints. No public exploit code or active exploitation has been reported at time of analysis.

Technical ContextAI

Docker Model Runner implements OCI registry authentication via the standard HTTP challenge mechanism defined in RFC 7235, where registries return a WWW-Authenticate header specifying a realm URL for token exchange. The vulnerability exists in the token exchange flow's failure to validate the realm URL's scheme, hostname, or IP range before making requests. The affected Go-based module (github.com/docker/model-runner) blindly follows attacker-controlled realm values, enabling Server-Side Request Forgery (SSRF, CWE-918). When Model Runner executes within a container or on a host, it can reach internal services typically isolated from untrusted workloads, and the token exchange mechanism can relay authentication data via the Authorization: Bearer header, creating a bidirectional data exfiltration channel.

RemediationAI

Vendor-released patch: Docker Model Runner v1.1.25 and later. Docker Desktop users must update to version 4.67.0 or later, which includes the fixed Model Runner. As a temporary workaround, Docker Desktop users can enable Enhanced Container Isolation (ECI) to block container access to Model Runner; however, this does not fully mitigate if Model Runner is exposed over TCP to localhost in specific network configurations. Users should prioritize patching to v1.1.25 or upgrading Docker Desktop to 4.67.0+. Refer to the official advisory at https://github.com/docker/model-runner/security/advisories/GHSA-x2f5-332j-9xwq for detailed patching guidance.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-33990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy