A high-severity security vulnerability tracked as CVE-2026-34040 (CVSS score: 8.8) has been discovered in Docker Engine. It has been reported that, under certain conditions, this flaw could allow an attacker to bypass authorization plugins (AuthZ) and gain extensive privileges over the host system.
According to available information, the vulnerability is related to an incomplete fix previously introduced for CVE-2024-41110. By using a specially crafted API request, the Docker daemon can forward the request to the authorization plugin without the request body. As a result, plugins that make access control decisions by inspecting the request body may permit an operation that they would otherwise have denied.
Technical analysis indicates that the issue stems from the improper handling of oversized HTTP request bodies. By padding a container creation request to more than 1 MB, an attacker can prevent the full request from being forwarded to the plugin. In such a case, the plugin does not restrict the request, while the Docker daemon processes the full request and creates a privileged container with access to the host file system.
Under such an exploitation scenario, an attacker could obtain AWS credentials, SSH keys, Kubernetes configurations and other sensitive data stored on the host system. This could subsequently lead to the compromise of cloud accounts, Kubernetes clusters and production environments. It is also noted that artificial intelligence agents operating in Docker-based sandbox environments may abuse this vulnerability. In response to errors encountered during certain debugging tasks, such agents may construct a padded HTTP request and bypass authorization controls.
The issue has been fixed in Docker Engine version 29.3.1. As temporary mitigation measures, it is recommended to restrict access to the Docker API to trusted users only, use rootless mode and exercise caution when relying on AuthZ plugins that base security decisions on request body inspection.
17 April 2026
15 April 2026
13 April 2026
10 April 2026
08 April 2026
06 April 2026
03 April 2026
02 April 2026
© 2011-2026 All rights reserved
