CVE-2025-6587 MEDIUM

CVE-2025-6587: Exposure of system environment variables in Docker Desktop diagnostic logs

Vendor Docker
Product Docker Desktop
Weakness CWE-532 · Sensitive info in logs
Published July 3, 2025
Last update February 26, 2026

CVSS base score

5.2/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive information such as api keys, passwords, etc.  A malicious actor with read access to these logs could obtain secrets and further use them to gain unauthorized access to other systems. Starting with version 4.43.0 Docker Desktop no longer logs system environment variables as part of diagnostics log collection.

Key dates

02Disclosure timeline

July 3, 2025 CVE published
February 26, 2026 Record updated