CVE-2026-5843
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
22/05/2026
Last modified:
01/06/2026
Description
The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model&#39;s config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker host as the Docker Desktop user.<br />
<br />
Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference.
Impact
Base Score 4.0
8.80
Severity 4.0
HIGH
Base Score 3.x
8.20
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:docker:docker_desktop:*:*:*:*:*:*:*:* | 4.56.0 (including) | 4.71.0 (excluding) |
| cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page



