Skip to content

[Bug]: PentAGI Container Escape via Prompt Injection #337

Open
Open
[Bug]: PentAGI Container Escape via Prompt Injection#337
Assignees
asdek
Labels
bugSomething isn't working
@ez-lbz

Description

@ez-lbz
ez-lbz
opened on Jun 5, 2026

Affected Component

AI Agents (Researcher/Developer/...)

Describe the bug

PentAGI Container Escape via Prompt Injection

Summary

PentAGI mounts the host Docker socket (/var/run/docker.sock) into agent sandbox containers when deployed via Docker Compose, allowing a prompt-injected AI agent to escape its sandbox and execute arbitrary commands on the host through the Docker API.

Root Cause

In backend/pkg/docker/client.go:282-284, when DOCKER_INSIDE is true, every per-flow sandbox container is created with the host Docker socket bind-mounted:

if dc.inside {
    hostConfig.Binds = append(hostConfig.Binds,
        fmt.Sprintf("%s:%s", dc.socket, defaultDockerSocketPath))
}

dc.inside is controlled by the DOCKER_INSIDE environment variable, which defaults to true in the shipped docker-compose.yml. The defaultDockerSocketPath is /var/run/docker.sock.

Impact

With host Docker socket access, an attacker can:

  • Host compromise: docker run --privileged -v /:/host ... mounts the host root filesystem into a new container, providing full read/write access to the host.
  • Lateral movement: Access to all containers, images, volumes, and networks on the host.

Steps to Reproduce

none

System Configuration

none

Logs and Artifacts

No response

Screenshots or Recordings

No response

Verification

  • I have checked that this issue hasn't been already reported
  • I have provided all relevant configuration files (with sensitive data removed)
  • I have included relevant logs and error messages
  • I am running the latest version of PentAGI

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions