CVE-2026-33997
Published:March 31, 2026
Updated:April 23, 2026
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.
Affected Packages
https://github.com/moby/moby.git (GITHUB):
Affected version(s) >=docker-v29.0.0-rc.1 <docker-v29.3.1Fix Suggestion:
Update to version docker-v29.3.1github.com/moby/moby/v2 (GO):
Affected version(s) >=v2.0.0-beta.0 <v2.0.0-beta.8Fix Suggestion:
Update to version v2.0.0-beta.8Related Resources (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.8
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Off-by-one Error
EPSS
Base Score:
0.01
