CVE-2026-5843

Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
22/05/2026
Last modified:
01/06/2026

Description

The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model&amp;#39;s config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker host as the Docker Desktop user.<br /> <br /> Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:docker:docker_desktop:*:*:*:*:*:*:*:* 4.56.0 (including) 4.71.0 (excluding)
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*


References to Advisories, Solutions, and Tools