Category

Docker

Security vulnerabilities and automated fixes for docker issues

3 posts found

critical7 min

Local File Inclusion in Crawl4AI Docker API via file:// URL Injection

CVE-2026-26217 is a critical Local File Inclusion (LFI) vulnerability in Crawl4AI versions prior to 0.8.0, where the Docker API fails to restrict `file://` URL schemes, allowing attackers to read arbitrary files from the host filesystem. The fix upgrades `crawl4ai` from `0.7.6` to `0.8.0` in `pyproject.toml` and `uv.lock`, closing a direct path to sensitive file exfiltration in any containerized deployment using this library.

#lfi#crawl4ai#docker+4 more
O
orbisai0security
May 29, 2026
high8 min

Locking Down Docker: Preventing Privilege Escalation in Container Services

A high-severity privilege escalation vulnerability was discovered in a Docker Compose configuration where the `nginx` service lacked the `no-new-privileges` security option and was running with a writable root filesystem. These misconfigurations could allow a compromised container process to gain elevated permissions or download and execute malicious payloads. The fix applies defense-in-depth by adding `no-new-privileges:true`, enforcing a read-only root filesystem, and redirecting writable path

#docker#container-security#privilege-escalation+4 more
O
orbisai0security
May 28, 2026
medium7 min

Plaintext OAuth Token Storage: A Medium-Severity Vulnerability Fix

A medium-severity vulnerability was discovered in a Docker CLI authentication plugin where OAuth tokens and API keys were stored in plaintext on the local filesystem without any encryption. Despite having PBKDF2 cryptographic capabilities available in the project dependencies, the authentication store was writing sensitive credentials directly to disk, exposing them to potential theft by malicious actors with filesystem access.

#security#oauth#authentication+4 more
O
orbisai0security
Mar 28, 2026