DockerDash: Remote Code Execution Through AI‑Driven Metadata Abuse
Overview
DockerDash is a critical vulnerability in Docker's AI assistant, Ask Gordon. The flaw enables an attacker to achieve Remote Code Execution simply by getting a victim to inspect a malicious Docker image with Ask Gordon in a cloud or command line interface environment. A poisoned Docker image becomes the attacker's payload, and Ask Gordon becomes the unintentional executor of the attacker's commands.
Once triggered, the attacker can execute Docker command line backed actions without user intent, validation, or authorization.
As of February 3rd, 2026, Docker has implemented a fix for this vulnerability in Docker Desktop 4.50.0.
How Did It Happen?
Action 1
Attacker infers that Docker’s Ask Gordon ingests Docker image metadata (e.g., Dockerfile LABELs) as conversational context and forwards outputs to an MCP-backed execution environment.
Action 2
The attacker hides multi‑step, command‑like instructions inside the Docker image LABEL fields, written so they look like real instructions instead of documentation.
Action 3
Ask Gordon reads those labels as tasks it should perform. It adds the attacker’s instructions into its reasoning and creates an action plan instead of just giving a description.
Action 4
Ask Gordon sends this attacker‑influenced plan to the Model Context Protocol (MCP) gateway, which then runs Docker CLI tools, like listing or stopping containers, using the victim’s permissions.
Action 5
These commands run with the victim’s Docker privileges, allowing the attacker to manage containers without the user asking for it or approving it.
Action 6
The attacker’s instructions cause Ask Gordon to interact with multiple containers, spreading the impact beyond the original Docker image.
Action 7
The malicious Docker image remains stored in registries and caches, so the attack can happen again any time someone uses Ask Gordon to inspect the image.
Action 8
The attacker continues directing what happens by placing new instructions into the image metadata, using Ask Gordon as a command generator instead of a traditional control system.
Action 9
The attack reaches its goal when containers are stopped or changed, causing downtime or disruption in the victim’s environment.
How DockerDash Works
DockerDash exploits a systemic trust failure within the AI supply chain. Ask Gordon trusts Docker metadata, the MCP gateway trusts Ask Gordon, and Docker tools trust the Model Context Protocol. A single poisoned metadata field cascades into full execution of attacker logic.
Threat Impact
Attackers achieve remote code execution using the victim's Docker privileges.
Containers can be listed, stopped, or manipulated without user knowledge.
Operational disruption or denial of service becomes likely.
Traditional monitoring may miss the attack because it abuses AI reasoning rather than a conventional software bug.
Mitigation and Prevention
For AI and platform vendors
Treat all external metadata, especially Docker image labels, as untrusted and validate it strictly.
Require explicit user confirmation before Model Context Protocol tool invocation.
Enforce least privilege access for any AI triggered tool execution.
For developers and organizations
Upgrade to Docker Desktop version 4.50.0 or later.
Avoid unverified or untrusted Docker images, and prefer images from vetted registries.
Treat AI assisted tooling outputs as potentially unsafe and review any proposed actions before execution.
Indicators of Compromise (IoCs)
Unexpected container starts, stops, or deletions.
Ask Gordon producing action oriented responses instead of descriptive ones.
Docker command line activity not initiated by the user.
Recurring suspicious activity tied to the same Docker image.
Industry Context
OWASP Top 10 for Agentic Applications: ASI01, ASI02, ASI03, ASI05, ASI06
OWASP LLM Top 10: LLM01, LLM02, LLM07
Resources
Last updated