Docker MCP Gateway
CVE-2026-55887
HIGH
Severity by source
Image is fetched over the network (AV:N) but requires the victim to reference an attacker-controlled image (UI:R) and supply-chain positioning (AC:H); no gateway auth needed (PR:N); container-host boundary crossed (S:C) with full host compromise.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Summary
A maliciously crafted OCI image label can inject arbitrary arguments into the docker run command line constructed by the MCP Gateway. An attacker who controls an image that the victim references via docker://, or that the victim's catalog pulls a snapshot from, can mount the host filesystem, run as UID 0, and execute arbitrary code on the host.
Details
The io.docker.server.metadata OCI image label is YAML-unmarshalled directly into the wide catalog.Server struct, which carries runtime-shaping fields (Volumes, User, Command, ExtraHosts, AllowHosts, DisableNetwork, Env, Remote, SSEEndpoint, OAuth,Secrets, LongLived, Policy) alongside descriptive fields. Every runtime field carries a YAML tag, so the unmarshal mass-assigns from the attacker-controlled label content; only Image is overwritten afterwards. The gateway's container-launch code then appends those fields verbatim as docker run flags (-v, -u, --add-host) with no allowlist or origin check, and execs docker with the resulting argv.
Impact
A malicious image author can achieve arbitrary code execution as UID 0 on the host of a victim running an affected version of MCP Gateway. Attacker-injected -v /:/host, -u root, and -v /var/run/docker.sock:/var/run/docker.sock arguments reach the docker run invocation that launches the MCP server container, giving the attacker full host filesystem access and root execution. The container/host trust boundary is bypassed at container-creation time, so the --security-opt no-new-privileges flag the gateway applies provides no protection: no in-container privilege escalation is needed.
Patches
The OCI image-label parser now only populates descriptive fields from the image label, which excludes fields that control the container runtime.
Credit
This issue was reported by Jabr Al-Otaibi @ DarkCov working with TrendAI Zero Day Initiative
Articles & Coverage 1
AnalysisAI
Arbitrary code execution as root on the host running Docker MCP Gateway via argument injection in the docker run command line. A malicious OCI image author can craft an io.docker.server.metadata label that YAML-unmarshals into runtime-shaping fields of the catalog.Server struct, causing the gateway to append attacker-chosen flags like -v /:/host and -u root when launching the MCP server container. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to launch an MCP server from an attacker-controlled OCI image - either by explicitly referencing it via a `docker://` URL in the gateway, or by having their catalog pull a snapshot that includes the malicious image - and the image must carry a crafted `io.docker.server.metadata` label whose YAML sets runtime fields such as `Volumes`, `User`, or `ExtraHosts`. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or EPSS data is provided in the input, and the CVE is not listed in CISA KEV. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes (or compromises) an OCI image whose `io.docker.server.metadata` label contains YAML setting `Volumes: ['/:/host', '/var/run/docker.sock:/var/run/docker.sock']` and `User: '0'`. A victim running MCP Gateway < 0.42.2 references the image through a `docker://` URL or pulls a catalog snapshot that includes it; when the gateway launches the MCP server, those values are appended verbatim to `docker run`, giving the attacker root-equivalent access to the host filesystem and the Docker socket and thus arbitrary code execution on the host. |
| Remediation | Vendor-released patch: upgrade github.com/docker/mcp-gateway to 0.42.2 or later, where the OCI image-label parser now populates only descriptive fields and explicitly excludes runtime-shaping fields. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Docker MCP Gateway deployments and identify which systems process untrusted or externally-sourced container images. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow
Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec
Dokploy self-hosted PaaS prior to 0.26.6 has a critical command injection vulnerability (CVSS 9.9) allowing authenticate
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope
Unauthenticated remote code execution in Gotenberg 8.29.1 allows network attackers to execute arbitrary OS commands via
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-r2xf-7jw5-pjg6