SECURITYWEEK reports that a critical vulnerability named DockerDash affects Docker’s Ask Gordon AI assistant, existing in the MCP Gateway’s contextual trust where instructions can be forwarded from image metadata without validation. The flaw allows an attacker to embed malicious instructions in a Docker image’s metadata labels, which are read by Gordon AI, forwarded to the MCP Gateway and executed with zero validation, a tactic SecurityWeek calls meta-context injection.
Depending on the deployment, an attacker could trigger remote code execution on cloud/CLI systems or cause data exfiltration on desktop applications, with desktop use limited to data theft rather than code execution. The issue hinges on the MCP Gateway treating AI-provided context and metadata as safe and user-authorised, enabling broad system visibility for MCP tools.
Docker Desktop version 4.50.0, released in November, includes fixes for both attack paths, and Ask Gordon now blocks data exfiltration via image tag injection and requires explicit confirmation before executing built-in and user-added MCP tools. The report is by Ionut Arghire and dated 4 February 2026.