A critical-severity bug in Docker’s Ask Gordon AI assistant can be exploited to compromise Docker environments, cybersecurity firm Noma Security warns.
Named DockerDash, the bug exists in the MCP Gateway’s contextual trust, where malicious instructions injected into a Docker image’s metadata labels are forwarded to the MCP and executed without validation.
“In modern AI architectures, the Model Context Protocol (MCP) acts as a bridge between the LLM and the local environment (files, Docker containers, databases). MCPs provide the ‘context’ AI needs to answer questions,” Noma explains.
Because the MCP Gateway does not distinguish between informational metadata and runnable internal instructions, an attacker can embed malicious instructions in the metadata fields of a Docker image.
“Gordon AI reads and interprets the malicious instruction, forwards it to the MCP Gateway, which then executes it through MCP tools. Every stage happens with zero validation, taking advantage of current agents and MCP Gateway architecture,” Noma says.
The cybersecurity firm has named the technique ‘meta-context injection’ and explains that it allows an attacker to hijack an AI’s reasoning process.
Ask Gordon is embedded in Docker Desktop and the Docker CLI, and a successful attack could have one of two outcomes: for cloud/CLI systems, it leads to remote code execution (RCE), while desktop applications are exposed to data exfiltration.
Both attack chains rely on Ask Gordon to process malicious instructions masquerading as a benign image description. However, the desktop implementation of the AI prevents command execution and can only be used for data theft.
“An attacker can still weaponize Ask Gordon’s read access to exfiltrate sensitive internal data about the victim’s environment,” Noma says.
The main issue, the cybersecurity firm underlines, is that the AI assistant trusts all image metadata as safe contextual information and interprets commands in metadata as legitimate tasks, that the MCP Gateway trusts the AI’s requests as user-authorized, and that MCP tools provide broad system visibility.
Docker Desktop version 4.50.0 was released in November with fixes for both attack paths. Ask Gordon now blocks data exfiltration via image tag injection and requires explicit confirmation before executing built-in and user-added MCP tools.
Related: Security Analysis of Moltbook Agent Network: Bot-to-Bot Prompt Injection and Data Leaks
Related: Vulnerability Allows Hackers to Hijack OpenClaw AI Assistant
Related: 175,000 Exposed Ollama Hosts Could Enable LLM Abuse
Related: LLMs Hijacked, Monetized in ‘Operation Bizarre Bazaar’
