Docker’s Ask Gordon AI flaw lets image metadata trigger remote code execution and data theft

Security researchers at Noma Security discovered a critical vulnerability in Docker’s Ask Gordon assistant that subverts how contextual data is trusted and relayed into local tooling. At the heart of the problem is the Model Context Protocol (MCP) integration: descriptive fields attached to container images are being forwarded into the MCP Gateway without sufficient validation, and the AI assistant can interpret those fields as actionable commands. That chain — a malicious payload hidden in image metadata, interpreted by the assistant, forwarded to the MCP Gateway, then executed by MCP tools — creates two distinct attack outcomes. In cloud or CLI environments an attacker can achieve remote code execution; on desktop installations the same vector is limited to extracting sensitive files and environment details because direct command execution is constrained. Noma frames the technique as a form of “meta-context injection,” where an attacker hijacks the system’s reasoning by feeding the model poisoned context rather than attacking the model weights or prompt directly. The core weaknesses are threefold: the assistant’s implicit trust in metadata, the MCP Gateway’s lack of request validation, and MCP tools’ broad visibility and capability within the environment. Docker responded with a November release that closes the most straightforward abuse paths — it blocks data exfiltration via corrupted image tags and forces explicit confirmation before MCP tools are run — but the discovery highlights a larger class of supply-chain risk when AI agents are given direct access to system control surfaces. Organizations that embed agentic assistants into developer tools must treat contextual bridges like MCP as high-risk interfaces and apply strict allowlists, ask-for-confirmation semantics, and robust input sanitization. The incident also signals a shift in attacker tradecraft: rather than exploiting software bugs alone, adversaries can weaponize system metadata to pivot through AI-led orchestration layers. For defenders, the immediate priorities are patching affected clients, auditing image registries for suspicious label content, and tightening MCP tool permissions; for platform vendors, the lesson is to architect human-in-the-loop checkpoints and to separate untrusted metadata from executable context. Docker’s patch reduces immediate exposure, but the structural pattern revealed by this finding will require changes in how agents and context gateways are designed if similar supply-chain abuses are to be prevented long term.