Docker Desktop MCP Server Beta Stores Credentials in Plaintext, ZDI Advisory Reveals
A vulnerability in the beta version of Docker Desktop MCP Server beta allows local attackers with low-privileged code execution to read stored credentials from cleartext configuration files.
The Zero Day Initiative (ZDI) has disclosed a vulnerability in the Docker Desktop MCP Server (beta) that stores sensitive information in plaintext, tracked as ZDI-26-123. The flaw, reported by David Fiser and Alfredo Oliveira of Trend Research, allows a local attacker who has already achieved low-privileged code execution on a target system to read stored credentials from the MCP server configuration. This could enable further compromise of the Docker environment or connected services.
The specific issue lies in how the MCP server configuration handles credential storage. Instead of encrypting or securely, the configuration stores sensitive data in plaintext, making it trivially accessible to any process or user with local read access. The vulnerability carries a CVSS score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), reflecting the need for prior local access but the high confidentiality impact once exploited.
Docker has addressed the issue via pull request 247 on the mcp-gateway repository on GitHub. According to the vendor, the affected component is a beta feature, and as such, a CVE identifier will not be assigned. The advisory notes that the vulnerability was reported to Docker on July 9, 2025, and the coordinated public release occurred on February 23, 2026.
The Docker Desktop MCP Server is part of Docker's experimental integration with the Model Context Protocol (MCP), which allows AI agents and tools to interact with Docker environments. While still in beta, the feature is used by developers exploring AI-assisted container management. The cleartext storage issue underscores the risks of shipping beta features that may not have undergone rigorous security hardening.
This disclosure follows a broader trend of vulnerabilities in developer tools and AI-related infrastructure. As organizations rapidly adopt AI-enable their workflows, the security of supporting components like MCP servers becomes critical. The ZDI advisory serves as a reminder that even beta features should implement basic security controls such as encryption at rest for sensitive data.
Users of Docker Desktop who have enabled the MCP Server beta are advised to apply the fix from pull request 247 or disable the feature until the patch is incorporated into a stable release. The vulnerability does not affect the core Docker Desktop product, only the optional MCP Server component.