April 23rd, 2026

Authorization Bypass Vulnerability in Moby (Docker Engine) – "CVE-2026-34040"

High

Our Cyber Threat Intelligence Unit is monitoring a high-severity vulnerability in Docker Engine (CVE-2026-34040), disclosed in March 2026, that impacts environments using authorization (AuthZ) plugins for access control. The issue stems from how Docker processes large API requests, which under certain conditions can lead to incomplete security evaluations. This vulnerability is particularly relevant for organizations that expose Docker APIs or rely on plugin-based authorization to secure container environments. Successful exploitation may allow attackers to create highly privileged containers and gain deeper access to host systems. Exposure may be further increased by misconfigurations introduced through automated tooling or AI-assisted deployments. Organizations running Docker in production or cloud environments should assess their exposure and apply the necessary updates and mitigations as soon as possible.

Technical Details

Severity: High
CVE: CVE-2026-34040
CVSS Score: 8.8
Vulnerability Type: Authorization Bypass
Affected Component: Docker Engine (Authorization Plugin Handling)
Affected Versions: All versions prior to 29.3.1
Attack Vector:
- Local based access to Docker API.
- Requires valid or misconfigured access permissions.
Exploitation Mechanics:
- The vulnerability stems from improper handling of large HTTP request bodies by the Docker daemon during authorization checks.
Root Cause:
- HTTP requests exceeding ~1MB are truncated or dropped when forwarded to authorization plugins.
- Authorization plugins receive incomplete request context including missing request body data.
- Security decisions are made without full visibility into the complete request payload.
- The Docker daemon proceeds to process the full original request , bypassing authorization enforcement.
Attack Chain:
- The attacker identifies a system where the Docker API is exposed—either publicly accessible or protected by weak access controls.
- After gaining access, the attacker sends a specially crafted API request to create a new container. This request is intentionally oversized (greater than 1MB) to exploit a weakness in how Docker processes large payloads.
- When Docker forwards the request to the authorization plugin for evaluation, it does not include the full request content. As a result, the plugin cannot see critical portions of the request, such as configurations that may indicate privileged or risky operations.
- Because the authorization plugin receives incomplete data, it incorrectly determines that the request is safe and allows it to proceed.
- Meanwhile, the Docker engine processes the full, original request, including the hidden or malicious parameters that were not visible to the plugin.
- This enables the attacker to create a container with elevated privileges, potentially granting access to the host system, sensitive directories, or other restricted resources.
- Once the container is running with these elevated permissions, the attacker can access sensitive data, disrupt system operations, or potentially gain full control of the host machine.
Organizations not using AuthZ plugins are not impacted by this issue.
CVE-2026-34040 is an incomplete remediation of CVE-2024-41110, a previously identified maximum-severity vulnerability affecting the same component. Organizations that have already applied patches for CVE-2024-41110 are still required to upgrade to version 29.3.1.

Impact

Attackers can create highly privileged containers, giving them deeper access than standard applications and potentially allowing full control of the underlying host system.
Once access is established, sensitive information—such as system files, credentials, or cloud configuration data—may be viewed, copied, or modified without authorization.
Attackers with local access can bypass authorization (AuthZ) plugins to perform unauthorized container operations, increasing the risk of a complete compromise of both the container environment and the host.
These malicious containers may disrupt normal operations by interfering with applications, degrading system performance, or causing service outages.
If access is maintained, attackers can continue moving laterally across systems, amplifying the impact and making remediation and recovery significantly more challenging for the organization.

Detection Method

Monitor for unusually large requests sent to Docker services, as attackers may use oversized payloads to bypass security controls.
Track the creation of new containers, especially those requesting elevated privileges or permissions that are not typically required for normal operations.
Review logs for unexpected or suspicious activity, such as containers being created without clear authorization or outside normal workflows.
Look for indicators of containers accessing sensitive areas of the system, such as system directories or configuration files that are not typically accessed during standard operations.
Observe systems for unusual behavior following container deployment, including performance degradation, unexpected processes, or unknown background activity.

Indicators of Compromise

There are no Indicators of Compromises (IOCs) observed.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Update Docker Engine to version 29.3.1 or later to ensure the vulnerability is remediated and systems are protected.
Restrict access to the Docker API so that only trusted users and systems can interact with it, reducing the risk of unauthorized access.
Avoid exposing Docker services directly to the internet, as this increases the likelihood of discovery and exploitation by attackers.
Review the use of authorization (AuthZ) plugins, particularly those that rely on inspecting request data, and ensure they are not the sole layer of security.
Continuously monitor container activity to detect unusual behavior, such as unexpected, privileged containers or abnormal system access patterns.
Implement network controls and segmentation to isolate Docker environments from critical systems, limiting the impact of a potential compromise.
Apply the principle of least privilege, ensuring users and services are granted only the minimum level of access necessary to perform their functions.

Conclusion

The disclosed high-severity vulnerability in Docker Engine highlights how gaps in request validation can weaken security controls within containerized environments. Organizations should take immediate action to mitigate this risk by upgrading to Docker Engine version 29.3.1, which addresses the vulnerability. Key action items include avoiding reliance on authorization(AuthZ) plugins that depend on inspecting request bodies for security decisions, restricting Docker API access to trusted users and systems, and considering the use of rootless mode or user namespace remapping to reduce potential impact. It is crucial for organizations to stay informed about this evolving threat landscape by closely monitoring security advisories and updates from Docker and cybersecurity sources. Proactive security measures and continuous vigilance are critical to protecting infrastructure from emerging vulnerabilities.

References

https://cyberpress.org/critical-docker-vulnerability/

https://www.cve.org/CVERecord?id=CVE-2026-34040

https://www.sentinelone.com/vulnerability-database/cve-2026-34040/

https://thehackernews.com/2026/04/docker-cve-2026-34040-lets-attackers.html

https://nvd.nist.gov/vuln/detail/CVE-2026-34040