CVE-2026-33990 is a Server-Side Request Forgery vulnerability in Docker Model Runner, the component that handles model downloads and local AI execution within Docker Desktop. CVSS 3.1 score is 9.1 CRITICAL. The CVE was published on NVD on April 1, 2026. bitten’s Docker Desktop series had not yet covered it. The fix ships in Docker Desktop 4.67.0, released March 30, 2026.
How the vulnerability works
The flaw lives in the OCI registry authentication flow that Model Runner uses when pulling a model. When a registry responds with a WWW-Authenticate header that includes a token endpoint URL (the realm field), Model Runner follows that URL without validating its scheme, hostname, or IP range.
A malicious OCI registry (or a legitimate one that has been compromised) can set realm to any internal address reachable from the host: http://169.254.169.254/ (cloud metadata endpoint), a service listening on localhost, or any other internal target. Model Runner sends a GET request to that address and includes the Authorization header containing registry credentials. The result is credential exfiltration or unauthorized access to internal services.
The attack vector is network-based, requires no authentication, and requires no user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). The underlying weakness is CWE-918: insufficient validation of URLs in server-side requests.
GitHub assigns a CVSS 4.0 score of 6.8 MEDIUM with a local attack vector, a discrepancy from CISA-ADP’s 9.1 that reflects differing deployment-context assumptions, not a technical contradiction. For environments where Model Runner is exposed over TCP on localhost, the network-based CVSS 3.1 rating is the more conservative and appropriate measure.
Fix and mitigation
The fix is in Docker Model Runner 1.1.25, included in Docker Desktop 4.67.0 (March 30, 2026). The current release is 4.74.0, shipped May 19, 2026: anyone with automatic updates enabled is already protected.
To check the installed version: Docker Desktop > Settings > Software Updates or docker version in the terminal. If the version shown is lower than 4.67.0, an update is required.
Docker’s documented alternative mitigation is enabling Enhanced Container Isolation (ECI), which blocks container access to Model Runner regardless of version. ECI is available under Settings > General > Enhanced container isolation. However, the vulnerability remains technically present for processes accessing Model Runner directly over localhost TCP even with ECI enabled — updating to 4.67.0 or later is the only complete fix.
Anyone using Docker Model Runner in their AI workflows (pulling Llama, Qwen, or Mistral models from Desktop directly, or integrating via the OpenAI-compatible API introduced in version 4.72.0) should verify the installed version and update if not already on 4.67.0 or higher.
Impact on development workflows
This CVE specifically affects teams using Model Runner for local AI inference: developers testing LLM-backed applications, CI pipelines running local inference, or stacks using the Gordon AI assistant introduced in Docker Desktop 4.74.0. In these environments, the practical risk is that a model pulled from an unverified OCI registry could exploit the vulnerability to reach cloud metadata endpoints or internal services accessible from the host.
The attack surface is limited to workflows that pull from third-party OCI registries. Teams pulling exclusively from Docker Hub have reduced exposure, though not zero if the registry account is compromised or if uncontrolled mirrors are in use.
