Docker Docker Desktop
18 CVEs affecting Docker Docker Desktop. Latest disclosed: 2026-06-02. Critical: 0, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-6406 | High | 8.8 | 2026-05-22 | The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from… |
CVE-2026-5843 | High | 8.2 | 2026-05-22 | The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model… |
CVE-2026-5817 | High | 8.2 | 2026-05-22 | The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sa… |
CVE-2023-1802 | Medium | 5.9 | 2023-04-06 | In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targete… |
CVE-2026-8936 | | 2026-06-02 | Fixed a VM panic caused by unbounded recursion in the grpcfuse kernel module when a container created deeply nested directories on a bind-mounted host folder a… | |
CVE-2026-2664 | | 2026-02-24 | An out of bounds read vulnerability in the grpcfuse kernel module present in the Linux VM in Docker Desktop for Windows, Linux and macOS up to version 4.61.0 c… | |
CVE-2025-13743 | | 2025-12-09 | Docker Desktop diagnostics bundles were found to include expired Hub PATs in log output due to error object serialization. This poses a risk of leaking sensiti… | |
CVE-2025-9164 | | 2025-10-27 | Docker Desktop Installer.exe is vulnerable to DLL hijacking due to insecure DLL search order. The installer searches for required DLLs in the user's Downloads… | |
CVE-2025-10657 | | 2025-09-26 | In a hardened Docker environment, with Enhanced Container Isolation ( ECI https://docs.docker.com/enterprise/security/hardened-desktop/enhanced-container-isola… | |
CVE-2025-9074 | | 2025-08-20 | A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, a… | |
CVE-2025-6587 | | 2025-07-03 | System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensit… | |
CVE-2025-3911 | | 2025-04-29 | Recording of environment variables, configured for running containers, in Docker Desktop application logs could lead to unintentional disclosure of sensitive i… | |
CVE-2025-4095 | | 2025-04-29 | Registry Access Management (RAM) is a security feature allowing administrators to restrict access for their developers to only allowed registries. When a MacOS… | |
CVE-2025-3224 | | 2025-04-28 | A vulnerability in the update process of Docker Desktop for Windows versions prior to 4.41.0 could allow a local, low-privileged attacker to escalate privilege… | |
CVE-2025-1696 | | 2025-03-06 | A vulnerability exists in Docker Desktop prior to version 4.39.0 that could lead to the unintentional disclosure of sensitive information via application logs… | |
CVE-2024-9348 | | 2024-10-16 | Docker Desktop before v4.34.3 allows RCE via unsanitized GitHub source link in Build view. | |
CVE-2024-8696 | | 2024-09-12 | A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop befo… | |
CVE-2024-8695 | | 2024-09-12 | A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop before 4.34… |