Docker Desktop Container Isolation Bypass Vulnerability
CVE-2026-6406

8.8HIGH

Key Information:

Vendor: Docker
Status: Docker Desktop
Vendor: CVE Published:; 22 May 2026

What is CVE-2026-6406?

A vulnerability in Docker Desktop allows local attackers to bypass Enhanced Container Isolation (ECI) controls through the Docker CLI’s --use-api-socket flag. When ECI is enabled, socket mounts should be explicitly configured to ensure security. However, the implementation of the --use-api-socket flag circumvents this by adding Docker socket mounts in a manner that the ECI enforcement checks overlook. This flaw can enable attackers to gain unauthorized access to the Docker Engine socket, potentially allowing for privilege escalation and retrieval of sensitive authentication credentials stored by the host user.

Affected Version(s)

Docker Desktop MacOS 4.41.0 < 4.59.0

References

https://docs.docker.com/desktop/release-notes/#4590

release-notes

https://www.zerodayinitiative.com/advisories/ZDI-26-299/

third-party-advisory

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Nitesh Surana (niteshsurana.com) of Trend Research

CVE-2026-6406 Data

JSON