Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pass unchecked. This grants a container full access to the Docker Engine socket and, if the host user has logged in to container registries, their authentication credentials.
A local attacker with the ability to run Docker CLI commands can exploit this to escape ECI restrictions, access the Docker Engine, and potentially escalate privileges.
AnalysisAI
Enhanced Container Isolation (ECI) bypass in Docker Desktop allows a local low-privileged user with Docker CLI access to mount the Docker Engine socket into a container by invoking the --use-api-socket flag, granting full Docker Engine control and exposure of registry credentials. The flaw stems from the API proxy inspecting only HostConfig.Binds while the flag routes the mount through HostConfig.Mounts, slipping past ECI policy. No public exploit identified at time of analysis, but the issue was reported by Docker itself and disclosed via ZDI (ZDI-26-299).
Technical ContextAI
Docker Desktop's Enhanced Container Isolation feature is a hardening control that runs containers in a Linux VM with restricted privileges and enforces an admin-controlled allowlist for sensitive mounts like the Docker socket. Enforcement is implemented in the Docker Desktop API proxy that sits between the CLI and the Engine. The Docker container creation API accepts mount specifications via two distinct fields: HostConfig.Binds (legacy short string form) and HostConfig.Mounts (newer structured form). The --use-api-socket CLI flag, intended to expose the Engine socket to containers, populates HostConfig.Mounts, but the ECI proxy only validated Binds - a classic CWE-863 incorrect authorization decision where the policy engine inspects an incomplete view of the request. Affected CPE is cpe:2.3:a:docker:docker_desktop:*:*:*:*:*:*:*:*, with the fix landing in Docker Desktop 4.59.0 per the vendor release notes.
RemediationAI
Vendor-released patch: Docker Desktop 4.59.0 - upgrade per the release notes at https://docs.docker.com/desktop/release-notes/#4590 and cross-reference ZDI-26-299 at https://www.zerodayinitiative.com/advisories/ZDI-26-299/. Until the upgrade is rolled out, administrators relying on ECI should treat the Docker socket as exposed to any local CLI user: revoke Docker group membership from users who should not have Engine-equivalent privileges, log out of container registries on shared hosts to limit credential theft impact, and consider blocking the --use-api-socket flag via endpoint controls or wrapper scripts (trade-off: breaks legitimate workflows that intentionally proxy the Engine socket). Auditing admin-settings to ensure no broader Binds-based allowances exist is also prudent, though it does not address the Mounts-path bypass and is not a substitute for patching.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31484
GHSA-3f9v-226v-2qc9