Skip to main content

Docker MCP Gateway CVE-2026-55887

HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-06-18 https://github.com/docker/mcp-gateway GHSA-r2xf-7jw5-pjg6
Share

Severity by source

vuln.today AI
8.3 HIGH

Image is fetched over the network (AV:N) but requires the victim to reference an attacker-controlled image (UI:R) and supply-chain positioning (AC:H); no gateway auth needed (PR:N); container-host boundary crossed (S:C) with full host compromise.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 14:02 vuln.today
Analysis Generated
Jun 18, 2026 - 14:02 vuln.today

DescriptionCVE.org

Summary

A maliciously crafted OCI image label can inject arbitrary arguments into the docker run command line constructed by the MCP Gateway. An attacker who controls an image that the victim references via docker://, or that the victim's catalog pulls a snapshot from, can mount the host filesystem, run as UID 0, and execute arbitrary code on the host.

Details

The io.docker.server.metadata OCI image label is YAML-unmarshalled directly into the wide catalog.Server struct, which carries runtime-shaping fields (Volumes, User, Command, ExtraHosts, AllowHosts, DisableNetwork, Env, Remote, SSEEndpoint, OAuth,Secrets, LongLived, Policy) alongside descriptive fields. Every runtime field carries a YAML tag, so the unmarshal mass-assigns from the attacker-controlled label content; only Image is overwritten afterwards. The gateway's container-launch code then appends those fields verbatim as docker run flags (-v, -u, --add-host) with no allowlist or origin check, and execs docker with the resulting argv.

Impact

A malicious image author can achieve arbitrary code execution as UID 0 on the host of a victim running an affected version of MCP Gateway. Attacker-injected -v /:/host, -u root, and -v /var/run/docker.sock:/var/run/docker.sock arguments reach the docker run invocation that launches the MCP server container, giving the attacker full host filesystem access and root execution. The container/host trust boundary is bypassed at container-creation time, so the --security-opt no-new-privileges flag the gateway applies provides no protection: no in-container privilege escalation is needed.

Patches

The OCI image-label parser now only populates descriptive fields from the image label, which excludes fields that control the container runtime.

Credit

This issue was reported by Jabr Al-Otaibi @ DarkCov working with TrendAI Zero Day Initiative

AnalysisAI

Arbitrary code execution as root on the host running Docker MCP Gateway via argument injection in the docker run command line. A malicious OCI image author can craft an io.docker.server.metadata label that YAML-unmarshals into runtime-shaping fields of the catalog.Server struct, causing the gateway to append attacker-chosen flags like -v /:/host and -u root when launching the MCP server container. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Publish malicious OCI image with crafted metadata label
Delivery
Victim references image via docker:// or catalog snapshot
Exploit
Gateway YAML-unmarshals label into catalog.Server struct
Execution
Runtime fields appended verbatim to docker run argv
Persist
Container starts with -v /:/host and -u root
Impact
Attacker code executes as UID 0 on host

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to launch an MCP server from an attacker-controlled OCI image - either by explicitly referencing it via a `docker://` URL in the gateway, or by having their catalog pull a snapshot that includes the malicious image - and the image must carry a crafted `io.docker.server.metadata` label whose YAML sets runtime fields such as `Volumes`, `User`, or `ExtraHosts`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or EPSS data is provided in the input, and the CVE is not listed in CISA KEV. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes (or compromises) an OCI image whose `io.docker.server.metadata` label contains YAML setting `Volumes: ['/:/host', '/var/run/docker.sock:/var/run/docker.sock']` and `User: '0'`. A victim running MCP Gateway < 0.42.2 references the image through a `docker://` URL or pulls a catalog snapshot that includes it; when the gateway launches the MCP server, those values are appended verbatim to `docker run`, giving the attacker root-equivalent access to the host filesystem and the Docker socket and thus arbitrary code execution on the host.
Remediation Vendor-released patch: upgrade github.com/docker/mcp-gateway to 0.42.2 or later, where the OCI image-label parser now populates only descriptive fields and explicitly excludes runtime-shaping fields. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Docker MCP Gateway deployments and identify which systems process untrusted or externally-sourced container images. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2025-66570 CRITICAL POC
10.0 Dec 05

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow

CVE-2026-47668 CRITICAL POC
10.0 Jun 05

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec

CVE-2026-24841 CRITICAL POC
9.9 Jan 28

Dokploy self-hosted PaaS prior to 0.26.6 has a critical command injection vulnerability (CVSS 9.9) allowing authenticate

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2026-24740 CRITICAL POC
9.9 Jan 27

Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope

CVE-2026-42589 CRITICAL POC
9.8 May 07

Unauthenticated remote code execution in Gotenberg 8.29.1 allows network attackers to execute arbitrary OS commands via

Share

CVE-2026-55887 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy