Docker Desktop Zero-Day Allows Container Escape to Host Privilege Escalation
A 0-day directory traversal vulnerability in Docker Desktop's credentialHelper allows attackers who have already escaped a container to escalate privileges and execute arbitrary code on the host system.
A critical zero-day vulnerability in Docker Desktop has been disclosed by the Zero Day Initiative (ZDI), allowing local attackers who have already escaped a container to escalate privileges and execute arbitrary code on the host system. The flaw, tracked as ZDI-26-261, resides in the `app/settings` endpoint and involves improper validation of the `credentialHelper` value, enabling a directory traversal attack. Docker has rejected the report, arguing that exploitation requires prior privileged access, leaving the vulnerability unpatched.
The vulnerability specifically affects Docker Desktop installations on Windows, where the attacker must first gain high-privileged code execution within the Docker Hyper-V VM. Once achieved, the attacker can exploit the directory traversal to write files to arbitrary locations on the host, ultimately executing code in the context of the current user. The advisory carries a CVSS score of 7.5, with a vector of AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high confidentiality, integrity, and availability impact despite the complex attack chain.
The disclosure timeline reveals a contentious back-and-forth between ZDI and Docker. ZDI submitted the report on July 11, 2025, and after multiple follow-ups and technical clarifications, Docker formally rejected the report on November 11, 2025, stating that exploitation required prior privileged access. ZDI notified Docker of its intent to publish the case as a 0-day advisory on April 8, 2026, and the advisory was released on April 15, 2026.
The vulnerability was discovered and reported by researchers Nitesh Surana and Nelson William Gamazo Sanchez of Trend Research. Their findings highlight a significant security gap in Docker Desktop's architecture, where the boundary between container, VM, and host is not sufficiently hardened. The researchers demonstrated that even with the prerequisite of container escape, the flaw provides a reliable path to host compromise.
Docker's decision to reject the report has drawn criticism from the security community, as it effectively leaves users exposed to a known attack vector. The only mitigation offered by ZDI is to restrict interaction with the product, a vague recommendation that offers little practical protection for enterprise environments relying on Docker Desktop for development and deployment.
This incident underscores a broader trend in container security: as containerization becomes ubiquitous, the attack surface between containers and their host systems is increasingly targeted. While container escapes are often considered high-barrier attacks, the availability of a documented 0-day that bridges the gap to host compromise raises the stakes for organizations using Docker Desktop in sensitive environments.
Until a patch is issued, administrators are advised to monitor for unusual file system activity and consider additional isolation measures, such as running Docker Desktop in a dedicated virtual machine with minimal host access. The ZDI advisory serves as a stark reminder that even rejected vulnerability reports can have real-world consequences when left unaddressed.