Cyber Resilience

CVE-2026-28400

High

Published: 27 February 2026

Published
27 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0001 1.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28400 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Zerodayinitiative (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Docker Model Runner (DMR), a software component for managing, running, and deploying AI models using Docker, contains a vulnerability in versions prior to 1.0.16. The issue stems from an exposed POST /engines/_configure endpoint that accepts arbitrary runtime flags without authentication; these flags are passed directly to the underlying inference server (llama.cpp). An attacker can inject the --log-file flag to write or overwrite arbitrary files accessible to the Model Runner process. This affects DMR standalone and is particularly impactful when bundled with Docker Desktop versions 4.46.0 and later, where Model Runner is enabled by default.

Attackers with network access to the Model Runner API can exploit this vulnerability. In Docker Desktop environments, the endpoint is reachable without authentication from any default container via model-runner.docker.internal, allowing file overwrites including the Docker Desktop VM disk (Docker.raw), which destroys all containers, images, volumes, and build history. In specific configurations combined with user interaction, exploitation can lead to container escape. The CVSS score is 7.5 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H), associated with CWE-749.

Advisories recommend updating to Docker Model Runner 1.0.16 or Docker Desktop 4.61.0 or later, which include the fixed Model Runner. A workaround for Docker Desktop users is to enable Enhanced Container Isolation (ECI), which blocks container access to Model Runner and prevents exploitation. However, if Model Runner is exposed to localhost over TCP in certain configurations, the vulnerability remains exploitable. Details are available in the GitHub Security Advisory (GHSA-m456-c56c-hh5c) and Zero Day Initiative advisory (ZDI-CAN-28379).

This vulnerability has relevance to AI/ML deployments, as it targets a tool specifically designed for running inference servers like llama.cpp within containerized environments. No public reports of real-world exploitation are noted.

EU & UK References

Vulnerability details

Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_configure` endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying…

more

inference server (llama.cpp). By injecting the --log-file flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at model-runner.docker.internal without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (`Docker.raw` ), resulting in the destruction of all containers, images, volumes, and build history. However, in specific configurations and with user interaction, it is possible to convert this vulnerability in a container escape. The issue is fixed in Docker Model Runner 1.0.16. Docker Desktop users should update to 4.61.0 or later, which includes the fixed Model Runner. A workaround is available. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, llama.cpp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

Exposed unauthenticated /_configure endpoint (T1190) accepts flags enabling arbitrary file overwrite, directly facilitating data destruction via Docker.raw (T1485) and container escape in specific configs (T1611).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13242Shared CWE-749
CVE-2026-4051Shared CWE-749
CVE-2026-33583Shared CWE-749
CVE-2026-5173Shared CWE-749
CVE-2026-35488Shared CWE-749
CVE-2024-12651Shared CWE-749
CVE-2026-30921Shared CWE-749
CVE-2025-47366Shared CWE-749
CVE-2026-30957Shared CWE-749
CVE-2025-53964Shared CWE-749

Affected Assets

Zerodayinitiative
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on the /engines/_configure endpoint before any flags are accepted.

prevent

Requires validation of all input parameters so that arbitrary --log-file and other llama.cpp flags cannot be injected.

prevent

Boundary protection (including container-to-host isolation rules such as ECI) blocks unauthorized network paths to model-runner.docker.internal.

References