Docker Desktop CredentialHelper Directory Traversal Enables Local Privilege Escalation (CVE‑2026‑XXXX)
What Happened — A newly disclosed 0‑day (CVE‑2026‑XXXX) allows a local attacker who has already escaped a Docker container to exploit an unchecked path in the credentialHelper setting, gaining elevated privileges on the host system. The flaw resides in Docker Desktop’s Hyper‑V VM and requires the attacker to already have container‑escape capability.
Why It Matters for TPRM —
- Privilege‑escalation on a developer workstation can be leveraged to compromise downstream services and supply‑chain partners.
- Docker Desktop is widely adopted across SaaS, development, and CI/CD pipelines, expanding the attack surface of many third‑party relationships.
Who Is Affected — Technology SaaS firms, cloud‑hosted development environments, and any organization that permits Docker Desktop on employee machines.
Recommended Actions — Review Docker Desktop usage across your vendor ecosystem, enforce strict container isolation policies, and monitor for the vendor’s patch release. Until a fix is available, consider disabling credentialHelper or restricting Docker Desktop installation to hardened endpoints.
Technical Notes — The vulnerability is a local directory‑traversal (CVSS 7.5, AV:L/AC:H/PR:H) in the app/settings endpoint. Exploitation requires prior container escape, after which arbitrary code can run as the current user on the host. No CVE‑published patch exists at time of advisory. Source: Zero Day Initiative advisory