Skip to main content

Docker Desktop CVE-2026-6406

| EUVDEUVD-2026-31484 HIGH
Incorrect Authorization (CWE-863)
2026-05-22 Docker GHSA-3f9v-226v-2qc9
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 26, 2026 - 14:16 EUVD
Analysis Generated
May 22, 2026 - 19:30 vuln.today

DescriptionCVE.org

The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pass unchecked. This grants a container full access to the Docker Engine socket and, if the host user has logged in to container registries, their authentication credentials.

A local attacker with the ability to run Docker CLI commands can exploit this to escape ECI restrictions, access the Docker Engine, and potentially escalate privileges.

AnalysisAI

Enhanced Container Isolation (ECI) bypass in Docker Desktop allows a local low-privileged user with Docker CLI access to mount the Docker Engine socket into a container by invoking the --use-api-socket flag, granting full Docker Engine control and exposure of registry credentials. The flaw stems from the API proxy inspecting only HostConfig.Binds while the flag routes the mount through HostConfig.Mounts, slipping past ECI policy. No public exploit identified at time of analysis, but the issue was reported by Docker itself and disclosed via ZDI (ZDI-26-299).

Technical ContextAI

Docker Desktop's Enhanced Container Isolation feature is a hardening control that runs containers in a Linux VM with restricted privileges and enforces an admin-controlled allowlist for sensitive mounts like the Docker socket. Enforcement is implemented in the Docker Desktop API proxy that sits between the CLI and the Engine. The Docker container creation API accepts mount specifications via two distinct fields: HostConfig.Binds (legacy short string form) and HostConfig.Mounts (newer structured form). The --use-api-socket CLI flag, intended to expose the Engine socket to containers, populates HostConfig.Mounts, but the ECI proxy only validated Binds - a classic CWE-863 incorrect authorization decision where the policy engine inspects an incomplete view of the request. Affected CPE is cpe:2.3:a:docker:docker_desktop:*:*:*:*:*:*:*:*, with the fix landing in Docker Desktop 4.59.0 per the vendor release notes.

RemediationAI

Vendor-released patch: Docker Desktop 4.59.0 - upgrade per the release notes at https://docs.docker.com/desktop/release-notes/#4590 and cross-reference ZDI-26-299 at https://www.zerodayinitiative.com/advisories/ZDI-26-299/. Until the upgrade is rolled out, administrators relying on ECI should treat the Docker socket as exposed to any local CLI user: revoke Docker group membership from users who should not have Engine-equivalent privileges, log out of container registries on shared hosts to limit credential theft impact, and consider blocking the --use-api-socket flag via endpoint controls or wrapper scripts (trade-off: breaks legitimate workflows that intentionally proxy the Engine socket). Auditing admin-settings to ensure no broader Binds-based allowances exist is also prudent, though it does not address the Mounts-path bypass and is not a substitute for patching.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-6406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy