EXECUTIVE SUMMARY:
CVE-2026-55887 with a CVSS score of 8.7 is a argument injection vulnerability in Docker MCP Gateway (go/github.com/docker/mcp-gateway) affecting versions ≥ 0.21.0 and < 0.42.2, where the component unmarshals the OCI image label `io.docker.server.metadata` directly into a runtime‑shaping struct and then concatenates those fields as flags for the `docker run` command without validation. An attacker who can supply a malicious image referenced via a `docker://` URI or pulled by the gateway’s catalog can craft a label containing flags such as `-v /:/host`, `-u root`, and `-v /var/run/docker.sock:/var/run/docker.sock`; these are injected verbatim into the launch command, allowing the attacker to mount the host filesystem, run as UID 0, and execute arbitrary code on the host. The resulting capability is full root‑level control of the underlying host, bypassing container isolation and rendering security‑opt settings ineffective. Business impact includes potential theft or destruction of data, service disruption, and compliance violations, as the attacker can manipulate the host environment, install persistence mechanisms, or exfiltrate sensitive information. Exploitation requires the victim to run an affected MCP Gateway instance and to accept or pull a crafted OCI image under the attacker’s control.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-55887 with a CVSS score of 8.7 is a argument injection vulnerability in Docker MCP Gateway (go/github.com/docker/mcp-gateway) affecting versions ≥ 0.21.0 and < 0.42.2, where the component unmarshals the OCI image label `io.docker.server.metadata` directly into a runtime‑shaping struct and then concatenates those fields as flags for the `docker run` command without validation. An attacker who can supply a malicious image referenced via a `docker://` URI or pulled by the gateway’s catalog can craft a label containing flags such as `-v /:/host`, `-u root`, and `-v /var/run/docker.sock:/var/run/docker.sock`; these are injected verbatim into the launch command, allowing the attacker to mount the host filesystem, run as UID 0, and execute arbitrary code on the host. The resulting capability is full root‑level control of the underlying host, bypassing container isolation and rendering security‑opt settings ineffective. Business impact includes potential theft or destruction of data, service disruption, and compliance violations, as the attacker can manipulate the host environment, install persistence mechanisms, or exfiltrate sensitive information. Exploitation requires the victim to run an affected MCP Gateway instance and to accept or pull a crafted OCI image under the attacker’s control.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-r2xf-7jw5-pjg6