Technologyglobal✓ verified · 90%

Docker MCP Gateway: Argument injection via OCI image label YAML

Name: Docker MCP Gateway: Argument injection via OCI image label YAML
Start: 2026-06-18T13:05:06Z
Location: Global (internet)

When: 2026-06-18 13:05 UTC
Where: Global (internet)
Category: cyber_advisory · go

## Summary A maliciously crafted OCI image label can inject arbitrary arguments into the `docker run` command line constructed by the MCP Gateway. An attacker who controls an image that the victim references via `docker://`, or that the victim's catalog pulls a snapshot from, can mount the host filesystem, run as UID 0, and execute arbitrary code on the host. ## Details The `io.docker.server.metadata` OCI image label is YAML-unmarshalled directly into the wide `catalog.Server` struct, which carries runtime-shaping fields (`Volumes`, `User`, `Command`, `ExtraHosts`, `AllowHosts`, `DisableNetwork`, `Env`, `Remote`, `SSEEndpoint`, `OAuth`,`Secrets`, `LongLived`, `Policy`) alongside descriptive fields. Every runtime field carries a YAML tag, so the unmarshal mass-assigns from the attacker-controlled label content; only `Image` is overwritten afterwards. The gateway's container-launch code then appends those fields verbatim as `docker run` flags (`-v`, `-u`, `--add-host`) with no allowlist or origin check, and execs `docker` with the resulting argv. ## Impact A malicious image author can achieve arbitrary code execution as UID 0 on the host of a victim running an affected version of MCP Gateway. Attacker-injected `-v /:/host`, `-u root`, and `-v /var/run/docker.sock:/var/run/docker.sock` arguments reach the `docker run` invocation that launches the MCP server container, giving the attacker full host filesystem access and root execution. The container/host trust boundary is bypassed at container-creation time, so the `--security-opt no-new-privileges` flag the gateway applies provides no protection: no in-container privilege escalation is needed. ## Patches The OCI image-label parser now only populates descriptive fields from the image label, which excludes fields that control the container runtime. ## Credit This issue was reported by Jabr Al-Otaibi `@ DarkCov` working with TrendAI Zero Day Initiative

Sources

GitHub Advisory Database ↗ · first seen 2026-06-18 13:05 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map