CVE-2026-12039
Docker Sandboxes network egress allowlist bypass via unfiltered DNS resolution
Description
Docker Sandboxes (sbx) enforces an HTTP/S-only egress allowlist but does not apply it to DNS resolution: the per-network embedded DNS server forwards any queried name to the host resolver whenever the network is internet-connected, without consulting the policy. A workload inside a sandbox, which the threat model treats as untrusted, can therefore encode data into DNS labels for an attacker-controlled domain and exfiltrate it through a DNS covert channel, bypassing the configured allowlist.
INFO
Published Date :
June 18, 2026, 1:48 p.m.
Last Modified :
June 18, 2026, 1:54 p.m.
Remotely Exploit :
No
Source :
Docker
Affected Products
The following products are affected by CVE-2026-12039
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | MEDIUM | 686469e6-3ff6-451b-ab8b-cf5b9e89401e |
Solution
- Implement egress filtering for DNS traffic.
- Validate DNS resolution policies.
- Apply network allowlist to DNS queries.
- Update DNS server configuration.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-12039 vulnerability anywhere in the article.