Cyber Resilience

CVE-2026-33990

Medium

Published: 01 April 2026

Published
01 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 16.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-33990 is a medium-severity SSRF (CWE-918) vulnerability in Docker Model Runner. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Docker Model Runner (DMR), a software component for managing, running, and deploying AI models using Docker, contains a Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-33990, in versions prior to 1.1.25. The flaw resides in the OCI registry token exchange flow, where DMR blindly follows the realm URL specified in the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. This allows a malicious registry to redirect requests to arbitrary internal endpoints.

Attackers can exploit this vulnerability remotely with no privileges or user interaction required, as indicated by its CVSS score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). By controlling an OCI registry and tricking a victim into pulling a model from it, an attacker can force the Model Runner on the host to issue arbitrary GET requests to internal services, such as http://127.0.0.1:3000/. The full response body from these internal services is reflected back to the attacker, enabling reconnaissance. Additionally, the token exchange process can relay data from internal services to the attacker-controlled registry via the Authorization: Bearer header, potentially compromising sensitive information and enabling further integrity violations.

The GitHub security advisory (GHSA-x2f5-332j-9xwq) confirms the issue has been patched in Docker Model Runner version 1.1.25. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) prevents container access to Model Runner, mitigating exploitation. However, in configurations where Model Runner is exposed to localhost over TCP, the vulnerability remains exploitable even with these measures.

This vulnerability is particularly relevant in AI/ML workflows, as DMR is designed specifically for handling AI model deployments via Docker, potentially exposing internal infrastructure in machine learning pipelines to external threats. No real-world exploitation has been reported in the provided details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Prior to version 1.1.25, Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner…

more

follows the realm URL from the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., http://127.0.0.1:3000/), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header. This issue has been patched in version 1.1.25. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

SSRF in DMR enables remote exploitation of the application (T1190) to probe and discover internal network services (T1046), gather system information via responses (T1082), and access data from internal services/repositories (T1213).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25960Shared CWE-918
CVE-2026-4231Shared CWE-918
CVE-2026-24779Shared CWE-918
CVE-2025-54381Shared CWE-918
CVE-2026-27795Shared CWE-918
CVE-2026-8768Shared CWE-918
CVE-2026-3788Shared CWE-918
CVE-2026-30858Shared CWE-918
CVE-2026-22742Shared CWE-918
CVE-2026-24736Shared CWE-918

Affected Assets

docker
model runner
≤ 1.1.25

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted inputs such as the realm URL from the OCI registry's WWW-Authenticate header to block SSRF by checking scheme, hostname, and IP range.

prevent

Enforces information flow policies that prevent the Model Runner from accessing internal services like localhost based on approved flow control rules.

prevent

Monitors and controls communications at system boundaries to limit SSRF requests from reaching or exfiltrating data from internal services.

References