SSRF Vulnerability in Docker Model Runner Affecting Docker Software

CVE-2026-33990

What is CVE-2026-33990?

The Docker Model Runner, prior to version 1.1.25, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability within its OCI registry token exchange workflow. In scenarios where Model Runner pulls a model, it adheres to the realm URL specified in the registry's WWW-Authenticate header without conducting thorough validation on the scheme, hostname, or IP range. This loophole allows a malicious OCI registry to propose an internal URL (such as http://127.0.0.1:3000/), which may trigger Model Runner running on the host to execute arbitrary GET requests to internal services. The response body from these requests can be fully reflected back to the initial caller. Moreover, the existing token exchange mechanism can inadvertently forward internal service data to an attacker-controlled registry via the Authorization: Bearer header. Though this vulnerability is addressed in version 1.1.25, Docker Desktop users can enhance their security posture by activating Enhanced Container Isolation (ECI), which restricts container access to Model Runner, mitigating exploitation risks. However, if Docker Model Runner is inadvertently exposed to localhost over TCP in specific configurations, the vulnerability remains a potential risk.

References