Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model's config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker host as the Docker Desktop user.
Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference.
AnalysisAI
Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to achieve RCE on the host by tricking the MLX inference backend into loading a Python file from an attacker-controlled OCI model registry. The MLX-LM library imports the file referenced by config.json's model_file field via importlib without any trust_remote_code gate, and the backend runs unsandboxed as the Docker Desktop user. Patched in Docker Desktop 4.71.0; no public exploit identified at time of analysis and EPSS is very low (0.01%), but the SSVC technical impact is rated total.
Technical ContextAI
Docker Model Runner is the local LLM-serving feature shipped with Docker Desktop on Apple Silicon, which uses Apple's MLX framework and the MLX-LM Python library for inference. MLX-LM resolves a model's config.json model_file key as a module path and calls importlib to load it, a design intended to allow custom architecture code shipped alongside model weights. CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) captures the root cause: unlike Hugging Face Transformers, which requires an explicit trust_remote_code=True opt-in for custom code, MLX-LM has no equivalent gate, so any pulled model can contribute executable Python to the host process. Affected CPE is cpe:2.3:a:docker:docker_desktop, and the exposure is reachable via the model-runner.docker.internal HTTP API exposed by default to containers on the Docker network.
RemediationAI
Vendor-released patch: Docker Desktop 4.71.0 - upgrade macOS hosts to 4.71.0 or later as documented at https://docs.docker.com/desktop/release-notes/#4710. Where immediate upgrade is not possible, disable Docker Model Runner in Docker Desktop settings, or at minimum disable the MLX backend, which removes the vulnerable importlib path at the cost of losing local LLM inference. As a network-layer compensating control, prevent untrusted containers from reaching model-runner.docker.internal by avoiding running untrusted images on the default bridge network or by using user-defined networks that exclude the model runner; this preserves Model Runner functionality for trusted workflows but adds operational friction. Pulling models only from curated OCI registries reduces but does not eliminate risk, because any malicious config.json reaching the backend will be honored.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31491
GHSA-9m9w-53g9-47c4