Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN648 _____________________________________________________________________ DATE : 18/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running docker/mcp-gateway (Go) versions prior to 0.42.2. ===================================================================== https://github.com/docker/mcp-gateway/security/advisories/GHSA-r2xf-7jw5-pjg6 _____________________________________________________________________ Argument injection via OCI image label YAML in Docker MCP Gateway High mickael-docker published GHSA-r2xf-7jw5-pjg6 Jun 16, 2026 Package github.com/docker/mcp-gateway (Go) Affected versions >= 0.21.0, < 0.42.2 Patched versions 0.42.2 Description Summary A maliciously crafted OCI image label can inject arbitrary arguments into the docker run command line constructed by the MCP Gateway. An attacker who controls an image that the victim references via docker://, or that the victim's catalog pulls a snapshot from, can mount the host filesystem, run as UID 0, and execute arbitrary code on the host. Details The io.docker.server.metadata OCI image label is YAML-unmarshalled directly into the wide catalog.Server struct, which carries runtime-shaping fields (Volumes, User, Command, ExtraHosts, AllowHosts, DisableNetwork, Env, Remote, SSEEndpoint, OAuth,Secrets, LongLived, Policy) alongside descriptive fields. Every runtime field carries a YAML tag, so the unmarshal mass-assigns from the attacker-controlled label content; only Image is overwritten afterwards. The gateway's container-launch code then appends those fields verbatim as docker run flags (-v, -u, --add-host) with no allowlist or origin check, and execs docker with the resulting argv. Impact A malicious image author can achieve arbitrary code execution as UID 0 on the host of a victim running an affected version of MCP Gateway. Attacker-injected -v /:/host, -u root, and -v /var/run/docker.sock:/var/run/docker.sock arguments reach the docker run invocation that launches the MCP server container, giving the attacker full host filesystem access and root execution. The container/host trust boundary is bypassed at container-creation time, so the --security-opt no-new-privileges flag the gateway applies provides no protection: no in-container privilege escalation is needed. Patches The OCI image-label parser now only populates descriptive fields from the image label, which excludes fields that control the container runtime. Credit This issue was reported by Jabr Al-Otaibi @ DarkCov working with TrendAI Zero Day Initiative Severity High 8.7/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Local Attack Complexity Low Attack Requirements Present Privileges Required None User interaction Active Vulnerable System Impact Metrics Confidentiality High Integrity High Availability High Subsequent System Impact Metrics Confidentiality High Integrity High Availability High CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE ID CVE-2026-55887 Weaknesses Weakness CWE-88 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================