CVE-2026-33990

Critical

Published: 01 April 2026

Published

01 April 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 9.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33990 is a critical-severity SSRF (CWE-918) vulnerability in Docker Model Runner. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted inputs such as the realm URL from the OCI registry's WWW-Authenticate header to block SSRF by checking scheme, hostname, and IP range.

AC-4 Information Flow Enforcement good match

prevent

Enforces information flow policies that prevent the Model Runner from accessing internal services like localhost based on approved flow control rules.

SC-7 Boundary Protection partial match

prevent

Monitors and controls communications at system boundaries to limit SSRF requests from reaching or exfiltrating data from internal services.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

T1082 System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

attack.mitre.org →

T1213 Data from Information Repositories Collection

Adversaries may leverage information repositories to mine valuable information.

attack.mitre.org →

Why these techniques?

SSRF in DMR enables remote exploitation of the application (T1190) to probe and discover internal network services (T1046), gather system information via responses (T1082), and access data from internal services/repositories (T1213).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Prior to version 1.1.25, Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner…

follows the realm URL from the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., http://127.0.0.1:3000/), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header. This issue has been patched in version 1.1.25. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.

Deeper analysisAI

Docker Model Runner (DMR), a software component for managing, running, and deploying AI models using Docker, contains a Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-33990, in versions prior to 1.1.25. The flaw resides in the OCI registry token exchange flow, where DMR blindly follows the realm URL specified in the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. This allows a malicious registry to redirect requests to arbitrary internal endpoints.

Attackers can exploit this vulnerability remotely with no privileges or user interaction required, as indicated by its CVSS score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). By controlling an OCI registry and tricking a victim into pulling a model from it, an attacker can force the Model Runner on the host to issue arbitrary GET requests to internal services, such as http://127.0.0.1:3000/. The full response body from these internal services is reflected back to the attacker, enabling reconnaissance. Additionally, the token exchange process can relay data from internal services to the attacker-controlled registry via the Authorization: Bearer header, potentially compromising sensitive information and enabling further integrity violations.

The GitHub security advisory (GHSA-x2f5-332j-9xwq) confirms the issue has been patched in Docker Model Runner version 1.1.25. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) prevents container access to Model Runner, mitigating exploitation. However, in configurations where Model Runner is exposed to localhost over TCP, the vulnerability remains exploitable even with these measures.

This vulnerability is particularly relevant in AI/ML workflows, as DMR is designed specifically for handling AI model deployments via Docker, potentially exposing internal infrastructure in machine learning pipelines to external threats. No real-world exploitation has been reported in the provided details.