[GH-ISSUE #337] [Bug]: PentAGI Container Escape via Prompt Injection #109

Open
opened 2026-06-06 22:09:11 -04:00 by yindo · 1 comment
Owner

Originally created by @ez-lbz on GitHub (Jun 5, 2026).
Original GitHub issue: https://github.com/vxcontrol/pentagi/issues/337

Originally assigned to: @asdek on GitHub.

Affected Component

AI Agents (Researcher/Developer/...)

Describe the bug

PentAGI Container Escape via Prompt Injection

Summary

PentAGI mounts the host Docker socket (/var/run/docker.sock) into agent sandbox containers when deployed via Docker Compose, allowing a prompt-injected AI agent to escape its sandbox and execute arbitrary commands on the host through the Docker API.


Root Cause

In backend/pkg/docker/client.go:282-284, when DOCKER_INSIDE is true, every per-flow sandbox container is created with the host Docker socket bind-mounted:

if dc.inside {
    hostConfig.Binds = append(hostConfig.Binds,
        fmt.Sprintf("%s:%s", dc.socket, defaultDockerSocketPath))
}

dc.inside is controlled by the DOCKER_INSIDE environment variable, which defaults to true in the shipped docker-compose.yml. The defaultDockerSocketPath is /var/run/docker.sock.


Impact

With host Docker socket access, an attacker can:

  • Host compromise: docker run --privileged -v /:/host ... mounts the host root filesystem into a new container, providing full read/write access to the host.
  • Lateral movement: Access to all containers, images, volumes, and networks on the host.

Steps to Reproduce

none

System Configuration

none

Logs and Artifacts

No response

Screenshots or Recordings

No response

Verification

  • I have checked that this issue hasn't been already reported
  • I have provided all relevant configuration files (with sensitive data removed)
  • I have included relevant logs and error messages
  • I am running the latest version of PentAGI
Originally created by @ez-lbz on GitHub (Jun 5, 2026). Original GitHub issue: https://github.com/vxcontrol/pentagi/issues/337 Originally assigned to: @asdek on GitHub. ### Affected Component AI Agents (Researcher/Developer/...) ### Describe the bug # PentAGI Container Escape via Prompt Injection ## Summary PentAGI mounts the host Docker socket (`/var/run/docker.sock`) into agent sandbox containers when deployed via Docker Compose, allowing a prompt-injected AI agent to escape its sandbox and execute arbitrary commands on the **host** through the Docker API. --- ## Root Cause In `backend/pkg/docker/client.go:282-284`, when `DOCKER_INSIDE` is true, every per-flow sandbox container is created with the host Docker socket bind-mounted: ```go if dc.inside { hostConfig.Binds = append(hostConfig.Binds, fmt.Sprintf("%s:%s", dc.socket, defaultDockerSocketPath)) } ``` `dc.inside` is controlled by the `DOCKER_INSIDE` environment variable, which defaults to `true` in the shipped `docker-compose.yml`. The `defaultDockerSocketPath` is `/var/run/docker.sock`. --- ## Impact With host Docker socket access, an attacker can: - **Host compromise**: `docker run --privileged -v /:/host ...` mounts the host root filesystem into a new container, providing full read/write access to the host. - **Lateral movement**: Access to all containers, images, volumes, and networks on the host. ### Steps to Reproduce none ### System Configuration none ### Logs and Artifacts _No response_ ### Screenshots or Recordings _No response_ ### Verification - [ ] I have checked that this issue hasn't been already reported - [ ] I have provided all relevant configuration files (with sensitive data removed) - [ ] I have included relevant logs and error messages - [ ] I am running the latest version of PentAGI
yindo added the bug label 2026-06-06 22:09:11 -04:00
Author
Owner

@ez-lbz commented on GitHub (Jun 5, 2026):

Sandbox Container: pentagi-terminal-3

├─ /var/run/docker.sock (Successfully mounted, srw-rw----)

├─ POST /containers/create → Privileged Container with Volume Mount (-v /:/host)
│ └─ 201 Created
├─ POST /containers/{id}/start → 204 No Content
├─ POST /containers/{id}/wait → StatusCode=0
├─ GET /containers/{id}/logs → Host filesystem data exfiltration (Leakage)
└─ DELETE /containers/{id} → Footprint cleanup / Clearing tracks

<!-- gh-comment-id:4632247638 --> @ez-lbz commented on GitHub (Jun 5, 2026): Sandbox Container: pentagi-terminal-3 │ ├─ /var/run/docker.sock (Successfully mounted, srw-rw----) │ ├─ POST /containers/create → Privileged Container with Volume Mount (-v /:/host) │ └─ 201 Created ├─ POST /containers/{id}/start → 204 No Content ├─ POST /containers/{id}/wait → StatusCode=0 ├─ GET /containers/{id}/logs → Host filesystem data exfiltration (Leakage) └─ DELETE /containers/{id} → Footprint cleanup / Clearing tracks
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: vxcontrol/pentagi#109