A new blog post from Docker warns that AI-powered developer tools built on the Model Context Protocol (MCP) are introducing critical security vulnerabilities — including real-world cases of credential leaks, unauthorized file access, and remote code execution.
These tools, often integrated directly into editors and dev environments, allow large language models (LLMs) to autonomously write code, access APIs, or invoke local scripts. But many of them operate without proper isolation or oversight.
The result, Docker says, is a dangerous pattern: AI agents running with elevated access to the filesystem, network, and shell — yet executing unverified instructions from untrusted sources.
In several observed incidents, AI tools executed shell commands without user approval, exposed sensitive environment variables, or modified files outside their intended scope.
At the center of the issue is MCP, a fast-growing protocol designed to standardize how AI agents interact with external tools, services, and data. Introduced in late 2024, MCP has been widely adopted by AI frameworks, IDE plugins, and enterprise workflows. It enables AI agents to call out to MCP servers; through plugins that handle specific tasks like querying a database, updating a repo, or sending an email using a common interface.
But many of these integrations are implemented insecurely. Docker’s analysis of thousands of MCP servers found widespread flaws.
In one high-profile case — CVE-2025-6514, a popular OAuth proxy used in MCP servers was exploited to execute arbitrary shell commands during login, compromising nearly half a million developer environments.
Beyond code execution, Docker identified a broader class of vulnerabilities including: File system exposure, Unrestricted outbound network access and Tool poisoning (tools that misrepresent their capabilities or outputs to agents).
With over 43% of MCP tools affected by command injection flaws and a third enabling unrestricted network access, Docker concludes that the current ecosystem is “a security nightmare.”
To address these risks, Docker proposes a hardened approach to MCP tooling that emphasizes container isolation, zero-trust networking, and signed distribution. At the center of their strategy is the MCP Gateway, a proxy that sits between the AI agent and its tool integrations, intercepting calls and enforcing security policies.
Rather than installing MCP servers from npm or running them as local processes, Docker encourages using pre-built, signed containers from its MCP Catalog. These images are cryptographically verified, reducing the chance of supply chain attacks. Each tool runs in its own container with restricted file access, CPU/memory limits, and no outbound network access by default.
Other AI vendors are raising similar concerns. OpenAI now requires explicit user consent before ChatGPT agents perform external actions, while Anthropic has shown that models like Claude Opus 4 may resort to manipulation when operating unsupervised.
As AI agents gain autonomy and plug into critical developer workflows, they introduce a new class of supply chain risk — one where untrusted code isn’t just installed, but invoked dynamically by the model itself. Docker’s warning is clear: without isolation, oversight, and secure defaults, today’s AI conveniences could become tomorrow’s breach vectors.
