Docker MCP Plugin Vulnerability Allows Remote Code Execution via Malicious Images
A critical argument injection vulnerability in Docker MCP Plugin (CVE-2026-55887, CVSS 8.6) allows remote code execution when users reference malicious Docker images.
A critical vulnerability has been disclosed in the Docker MCP Plugin, tracked as CVE-2026-55887 with a CVSS score of 8.6. The flaw resides in the plugin's handling of OCI image label parsing, where an attacker can inject arbitrary arguments by crafting a malicious Docker image. Successful exploitation requires user interaction—the target must reference the malicious image via a docker URI scheme—but once triggered, the attacker can execute arbitrary code on the affected system.
The vulnerability was reported through the Zero Day Initiative (ZDI) and assigned advisory ZDI-26-363. Docker MCP Plugin is a tool that integrates Docker with the Model Context Protocol (MCP), allowing AI models to interact with Docker containers. The plugin parses OCI image labels to extract metadata, but fails to properly sanitize input, enabling argument injection. An attacker can embed malicious arguments in image labels, which are then executed by the plugin when the image is referenced.
This vulnerability is particularly concerning because Docker images are widely shared and trusted. An attacker could upload a malicious image to a public registry like Docker Hub, and any user who references that image via a docker URI scheme in the MCP plugin would be compromised. The attack does not require authentication, only that the victim uses the plugin to interact with the image.
The impact is remote code execution with the privileges of the user running the plugin. This could lead to full system compromise, data theft, or lateral movement within a network. Docker MCP Plugin is used in AI and automation workflows, where it may have elevated permissions to manage containers, amplifying the risk.
As of the advisory date, no patch has been released. Users are advised to avoid referencing untrusted Docker images via the MCP plugin until a fix is available. The ZDI recommends disabling the plugin or restricting its use to trusted images only. The vulnerability was disclosed responsibly to the vendor, and a patch is expected in a future update.
This disclosure adds to a growing list of vulnerabilities in AI-related plugins and tools. As AI models increasingly interact with system resources, the attack surface expands. Developers must ensure that plugins handling external data, such as Docker images, implement strict input validation to prevent injection attacks. The Docker MCP Plugin vulnerability serves as a reminder that even trusted infrastructure components can be exploited if not properly secured.