CVE-2026-28400
Published: 27 February 2026
Summary
CVE-2026-28400 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Zerodayinitiative (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Docker Model Runner (DMR), a software component for managing, running, and deploying AI models using Docker, contains a vulnerability in versions prior to 1.0.16. The issue stems from an exposed POST /engines/_configure endpoint that accepts arbitrary runtime flags without authentication; these flags are passed directly to the underlying inference server (llama.cpp). An attacker can inject the --log-file flag to write or overwrite arbitrary files accessible to the Model Runner process. This affects DMR standalone and is particularly impactful when bundled with Docker Desktop versions 4.46.0 and later, where Model Runner is enabled by default.
Attackers with network access to the Model Runner API can exploit this vulnerability. In Docker Desktop environments, the endpoint is reachable without authentication from any default container via model-runner.docker.internal, allowing file overwrites including the Docker Desktop VM disk (Docker.raw), which destroys all containers, images, volumes, and build history. In specific configurations combined with user interaction, exploitation can lead to container escape. The CVSS score is 7.5 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H), associated with CWE-749.
Advisories recommend updating to Docker Model Runner 1.0.16 or Docker Desktop 4.61.0 or later, which include the fixed Model Runner. A workaround for Docker Desktop users is to enable Enhanced Container Isolation (ECI), which blocks container access to Model Runner and prevents exploitation. However, if Model Runner is exposed to localhost over TCP in certain configurations, the vulnerability remains exploitable. Details are available in the GitHub Security Advisory (GHSA-m456-c56c-hh5c) and Zero Day Initiative advisory (ZDI-CAN-28379).
This vulnerability has relevance to AI/ML deployments, as it targets a tool specifically designed for running inference servers like llama.cpp within containerized environments. No public reports of real-world exploitation are noted.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9073
Vulnerability details
Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_configure` endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying…
more
inference server (llama.cpp). By injecting the --log-file flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at model-runner.docker.internal without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (`Docker.raw` ), resulting in the destruction of all containers, images, volumes, and build history. However, in specific configurations and with user interaction, it is possible to convert this vulnerability in a container escape. The issue is fixed in Docker Model Runner 1.0.16. Docker Desktop users should update to 4.61.0 or later, which includes the fixed Model Runner. A workaround is available. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, llama.cpp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed unauthenticated /_configure endpoint (T1190) accepts flags enabling arbitrary file overwrite, directly facilitating data destruction via Docker.raw (T1485) and container escape in specific configs (T1611).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on the /engines/_configure endpoint before any flags are accepted.
Requires validation of all input parameters so that arbitrary --log-file and other llama.cpp flags cannot be injected.
Boundary protection (including container-to-host isolation rules such as ECI) blocks unauthorized network paths to model-runner.docker.internal.