Docker Ask Gordon prompt injection: what IAM teams need to know

TL;DR: Docker’s Ask Gordon beta could be hijacked through malicious Docker Hub metadata, causing automatic tool calls and exfiltration of chat history and build data, with the exploit succeeding even where domain allowlisting was present, according to Pillar Security. The incident shows that trusted-content prompt injection turns repository metadata into executable context, so consent and provenance boundaries matter more than network filters.

NHIMG editorial — based on content published by Pillar Security: Ask Gordon, Meet the Attacker, prompt injection in Docker’s built-in AI assistant

By the numbers:

• The issue was resolved in Docker Desktop 4.50.0 on November 6th, 2025.

Questions worth separating out

Q: How should security teams stop indirect prompt injection in AI assistants?

A: Security teams should prevent external text from becoming executable context.

Q: Why do AI assistants create a new trust problem for identity governance?

A: AI assistants create a new trust problem because they can read data, choose tools, and act on external text in ways traditional review processes do not expect.

Q: What breaks when an AI assistant can access private data and untrusted content at the same time?

A: When an assistant can access private data and ingest untrusted content, a small injected instruction can become a data-exfiltration path.

Practitioner guidance

• Separate display content from executable context Classify repository metadata, README text, and issue content as untrusted by default, and prevent those fields from directly driving tool calls or outbound requests.
• Gate all egress-triggering actions with explicit consent Require a human approval step before any assistant can fetch remote URLs, send data externally, or invoke tools that can expose build logs, chat history, or other sensitive context.
• Test assistants against indirect prompt injection Red-team developer assistants with poisoned metadata, hidden instructions, and malicious follow-on links to verify that tool use stops at the intended trust boundary.

What's in the full article

Pillar Security's full research covers the operational detail this post intentionally leaves for the source:

• The exact malicious metadata pattern used to trigger Ask Gordon's follow-on fetch and tool calls.
• The recorded sequence of internal tool invocations, including list_builds and build_logs, that supported the exfiltration chain.
• The mitigation behaviour after Docker Desktop 4.50.0 and how human-in-the-loop confirmation changed execution flow.
• The sanitized network capture that shows how the assistant packaged chat and tool output for outbound transfer.

👉 Read Pillar Security's analysis of Ask Gordon prompt injection in Docker Desktop →

Docker Ask Gordon prompt injection: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →