CVE-2026-5843
HIGHDescription
The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model's config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker host as the Docker Desktop user. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2026-5843? +
How severe is CVE-2026-5843? +
How do I check if I'm vulnerable to CVE-2026-5843? +
Related Vulnerabilities
Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute …
conda-forge-metadata provides programatic access to conda-forge's metadata. conda-forge-metadata uses an optional dependency - "conda-oci-mirror" which was neither present on the …
Collabora Online is a collaborative online office suite based on LibreOffice. Macro support is disabled by default in Collabora Online, …
An Inclusion of Functionality from Untrusted Control Sphere vulnerability in the SSH server on B&R APROL <4.4-00P1 may allow an …
A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache (such as those …
A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input …