DockerDash Flaw in Docker AI Assistant Leads to RCE, Data Theft

The critical vulnerability exists in the contextual trust in MCP Gateway architecture, as instructions are passed without validation.

A critical-severity bug in Docker’s Ask Gordon AI assistant can be exploited to compromise Docker environments, cybersecurity firm Noma Security warns.

Named DockerDash, the bug exists in the MCP Gateway’s contextual trust, where malicious instructions injected into a Docker image’s metadata labels are forwarded to the MCP and executed without validation.

“In modern AI architectures, the Model Context Protocol (MCP) acts as a bridge between the LLM and the local environment (files, Docker containers, databases). MCPs provide the ‘context’ AI needs to answer questions,” Noma explains.

Because the MCP Gateway does not distinguish between informational metadata and runnable internal instructions, an attacker can embed malicious instructions in the metadata fields of a Docker image.

“Gordon AI reads and interprets the malicious instruction, forwards it to the MCP Gateway, which ...