CVE-2026-6406 - High Severity Vulnerability
Vulnerable Library - github.com/docker/cli-v29.4.0+incompatible
The Docker CLI
Library home page: https://proxy.golang.org/github.com/docker/cli/@v/v29.4.0+incompatible.zip
Path to dependency file: /engine/go.mod
Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/github.com/docker/cli/@v/v29.4.0+incompatible.mod
Dependency Hierarchy:
- ❌ github.com/docker/cli-v29.4.0+incompatible (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pass unchecked. This grants a container full access to the Docker Engine socket and, if the host user has logged in to container registries, their authentication credentials.
A local attacker with the ability to run Docker CLI commands can exploit this to escape ECI restrictions, access the Docker Engine, and potentially escalate privileges.
Publish Date: 2026-05-22
URL: CVE-2026-6406
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend here
CVE-2026-6406 - High Severity Vulnerability
The Docker CLI
Library home page: https://proxy.golang.org/github.com/docker/cli/@v/v29.4.0+incompatible.zip
Path to dependency file: /engine/go.mod
Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/github.com/docker/cli/@v/v29.4.0+incompatible.mod
Dependency Hierarchy:
Found in base branch: master
The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pass unchecked. This grants a container full access to the Docker Engine socket and, if the host user has logged in to container registries, their authentication credentials.
A local attacker with the ability to run Docker CLI commands can exploit this to escape ECI restrictions, access the Docker Engine, and potentially escalate privileges.
Publish Date: 2026-05-22
URL: CVE-2026-6406
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here