# The Obedient Accomplice

<div align="left"><figure><img src="/files/rjjo60IQX9MhZ9n6gRh8" alt=""><figcaption></figcaption></figure></div>

*How a poisoned label turned Docker's AI into an obedient burglar.*

## The Setup

Ask Gordon is, by design, a good listener. Docker's AI assistant reads container image metadata and answers questions about it in plain English. It ingests, reasons, replies. Helpful, by any measure.

The trouble, as we discovered, is that helpfulness has no opinions about the source of its instructions.

The attack, DockerDash, begins with something as mundane as a Docker image LABEL — the small text fields developers routinely attach as documentation. A label might say *maintainer:* [*engineering-team@company.com*](mailto:engineering-team@company.com), or *version: 2.3.1*, or, in the case of a malicious image, something considerably more ambitious. The attacker's label looked, to casual inspection, like metadata. To Gordon, reading it as context for a conversation, it looked like a task. That gap — between description and instruction, between passive and active — is the entire vulnerability.

{% hint style="info" %}
As of February 3rd, 2026 Docker has implemented a fix for this vulnerability in Docker Desktop 4.50.0.
{% endhint %}

### How It Happened

<div><figure><img src="/files/NREVJxFw0uotKe0HDWKx" alt=""><figcaption></figcaption></figure> <figure><img src="/files/tZBymRvnRe5Hd6WsD1MV" alt=""><figcaption></figcaption></figure> <figure><img src="/files/7IT1PysqeUbGOFqppwcB" alt=""><figcaption></figcaption></figure></div>

<div><figure><img src="/files/8YGGU04MQITuXhu04Lsj" alt=""><figcaption></figcaption></figure> <figure><img src="/files/aRdlc4Gbizw7HeEwPIQK" alt=""><figcaption></figcaption></figure> <figure><img src="/files/rQyVwNCcUDvxGQn5X7mj" alt=""><figcaption></figcaption></figure></div>

<div><figure><img src="/files/nGG0hNEcRv9R7wvHFqem" alt=""><figcaption></figcaption></figure> <figure><img src="/files/NOfPlcxCLc4mvA1HsaZi" alt=""><figcaption></figcaption></figure></div>

### Attack Propagation: Through the AI Kill Chain&#x20;

DockerDash didn't exploit a single flaw. It traveled — methodically, quietly — through all ten stages of the AI Kill Chain.

<figure><img src="/files/GXuKMTxb2fQlnUdZTWQF" alt=""><figcaption></figcaption></figure>

It entered at **Stage 1 (AI Recon)** through silent behavioral fingerprinting: the attacker studied how Gordon processed metadata before ever touching a LABEL field. Human oversight was neutralized at **Stage 2 (Trust and Manipulation)** — the human-in-the-loop was bypassed entirely because there was no visible interaction for anyone to review.

At **Stage 3 (Instruction and Weaponization)**, *Instruction Smuggling and Format Confusion* turned an innocuous documentation field into a covert command channel. **Stage 4 (Reasoning and Execution)** delivered *Goal Substitution* — Gordon's reasoning was redirected without its awareness or any user input.

The middle stages compounded the damage. *Unauthorized Tool Invocation* at **Stage 5** handed execution to the MCP gateway. *Credential Overreach via AI* at **Stage 6** gave the attacker the victim's own Docker privileges — access they could not have obtained through conventional means. *Workflow and Automation Hijacking* at **Stage 7** spread the impact laterally across containers without further attacker involvement.

At **Stage 8 (Persistence)**, cached images in registries ensured the attack would survive indefinitely. **Stage 9 (AI C\&C)** enabled *Trigger-Based Control* — new instructions embedded in metadata could redirect Gordon at any time, with no traditional command-and-control infrastructure required. Stage 10 delivered the objective: containers stopped, operations disrupted — *Autonomous Fraud and Abuse*, executed without the attacker ever directly touching the victim's environment.&#x20;

### The Fix, and What It Doesn't Fix

Docker moved quickly. By February 3rd of this year, the company shipped a patch in Docker Desktop version 4.50.0, tightening the trust relationship between Gordon and the metadata it ingests. For users who have updated, the doorway is closed.

For developers and organizations still exposed, the steps are straightforward:

* Upgrade to Docker Desktop 4.50.0 or later.
* Avoid unverified or untrusted Docker images; prefer images from vetted registries.
* Treat AI-assisted tooling outputs as proposals, not conclusions — review any action Gordon suggests before allowing execution.

For AI and platform vendors, the obligation runs deeper:

* Treat all external metadata — especially Docker image labels — as untrusted input, and validate it strictly.
* Require explicit user confirmation before any MCP tool invocation.
* Enforce least privilege for any AI-triggered tool execution.

The patch closes this particular doorway. The deeper assumption it exposed — that an AI capable of reading everything is wise enough to distrust some of it — remains very much open. As AI assistants absorb context from codebases, configuration files, and container metadata, the surface area for this kind of manipulation grows in direct proportion to their capability. Each new tool an AI can invoke, each new source of context it can ingest, is also a new avenue for an attacker who understands how the model thinks.

Gordon was doing its job. It read the label. It followed the instructions. It was, in the fullest and most disconcerting sense of the word, helpful.

> Every AI assistant that reads external context is a potential Gordon. Lineaje UnifAI maps your AI inventory, sets policy, and defends at runtime — so the next poisoned label finds a closed door. See [Lineaje UnifAI](https://www.lineaje.com/unifai).

### Industry Context  &#x20;

* **Mitre Atlas**: [AML.T0043](https://atlas.mitre.org/techniques/AML.T0043), [AML.T0051](https://atlas.mitre.org/techniques/AML.T0051), [AML.T0053](https://atlas.mitre.org/techniques/AML.T0053), [AML.T0010](https://atlas.mitre.org/techniques/AML.T0010), [AML.T0083](https://atlas.mitre.org/techniques/AML.T0083)&#x20;
* **OWASP Top 10 for Agentic Applications**: [ASI01, ASI02, ASI03, ASI05, ASI06](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/)&#x20;
* **OWASP LLM Top 10**: [LLM01, LLM02, LLM07](https://genai.owasp.org/llmrisk/llm01-prompt-injection/)&#x20;

#### Resources&#x20;

To learn more about the AI Kill Chain, see [Lineaje AI Kill Chain White Paper](https://www.lineaje.com/ai-kill-chain-whitepaper).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veedna.com/lineaje-ai-threat-advisory/instruction-manipulation/the-obedient-accomplice.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.