The AI explosion in recent years has led to widespread adoption in a variety of business environments, including the rapid rise of AI assistants inside DevOps and cloud workflows. These “trusted” tools are now embedded directly in operational paths, creating potential risks. AI security company Noma’s security research team at Noma Labs recently disclosed a vulnerability in Docker’s Ask Gordon AI assistant. Known as DockerDash, this critical security flaw is not an isolated incident, but a warning sign of the dangers of innate trust in AI agents.
What Is DockerDash?
Docker’s Ask Gordon is an embedded tool intended to help improve the Docker experience with AI-enhanced assistance. It is designed to perform actions from running and troubleshooting containers to identifying vulnerabilities and configuration issues, requiring broad access and permissions. The discovered flaw can lead to compromise of the Docker environment with only a single malicious metadata label in an image.
The capabilities of the Gordon assistant are exactly what allow the DockerDash flaw to occur. None of the stages of the attack encounter any kind of validation, enabling attackers to take advantage of the system’s architecture. Due to the operational flow and how the tool parses metadata commands, the vulnerability does not require any traditional exploits, malware, or user error in order to be executed.
Anatomy of a Cascading Trust Failure
The DockerDash flaw takes place in multiple stages, beginning with a single line of malicious instructions in image metadata, which the Ask Gordon AI interprets as valid context. The AI assistant then forwards the instruction through the Model Context Protocol (MCP) Gateway, which lacks the ability to differentiate metadata information from actionable instructions. The gateway reads the instruction and executes the attacker-controlled actions with MCP tools.
The entire execution chain leverages the lack of guardrails in place to detect and filter unauthorized activity, allowing the attack to be carried out without authentication or verification. The AI assistant and MCP are not able to understand when input is suspicious or malicious, making them perfect targets for threat actors to take advantage of.
From Supply Chain Risk to System Compromise
The absence of security measures protecting against risk through AI agents enables fundamental compromise of the Docker environment. Ask Gordon has access to the Docker environment and the ability to carry out various actions that bad actors can leverage to their benefit. The execution of arbitrary Docker commands can lead to stopping production containers and launching unauthorized or malicious workloads.
Attackers can also use this method of exploiting AI logic and workflows to access and steal sensitive data from across the environment. The data that can be potentially exfiltrated includes information on installed MCP tools, container configurations and environment variables, and network topology. Attackers can abuse legitimate AI tool access in order to evade traditional security controls.
The New AI Attack Surface in DevOps
The growing use of AI tools and agents is a major factor in the technological landscape that demands a shift in security approaches. Traditional threat modeling assumptions break down in environments employing agentic AI tools. AI agents are non-human identities with far-reaching access and permissions, operating completely differently from how human users behave.
Unlike humans, AI agents are unable to comprehend and interpret factors like context and intent, making these the new exploit vectors for attackers looking to take advantage of agentic AI environments. Image scanning and code analysis alone are no longer sufficient measures against agentic AI risk as vulnerabilities can be introduced in many other ways that remain unaccounted for.
Why This Changes the Security Conversation
Agentic AI risks force a shift in the focus and priorities of security discussions, from software vulnerabilities to trust vulnerabilities. AI-augmented CI/CD and infrastructure automation are heavily impacted by this type of danger, with implications of foundational risk. Governing AI authority in production environments demands a newer approach with agentic capabilities in mind.
This flaw is significant in what it reveals about the threat landscape looking forward. “DockerDash is one example of what is sure to be a slew of examples in 2026,” says David Brumley, Chief AI and Science Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity. “The prompt injection vulnerable pattern is clear and growing, and not one easily caught by traditional AppSec tools.”
Securing AI Means Securing Trust
The DockerDash flaw highlights the need for validation, boundaries, and intent verification in AI agents. It is crucial to rethink how authority is delegated to AI systems to protect against threats taking advantage of the sprawling permissions and abilities of agentic tools. DockerDash is a preview of future AI-driven supply chain attacks, which defenders would be wise to look to for lessons on agentic AI security.
