CVE-2026-34040
March 28, 2026
Summary A security vulnerability has been detected that allows attackers to bypass "authorization plugins (AuthZ)" (https://docs.docker.com/engine/extend/plugins_authorization/) under specific circumstances. The base likelihood of this being exploited is low. This is an incomplete fix for "CVE-2024-41110" (https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq). Impact If you don't use AuthZ plugins, you are not affected. Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body. The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted. Workarounds If unable to update immediately: - Avoid using AuthZ plugins that rely on request body inspection for security decisions. - Restrict access to the Docker API to trusted parties, following the principle of least privilege. Credits - 1seal / Oleh Konko ("@1seal" (https://github.com/1seal)) - Cody (c@wormhole.guru) - Asim Viladi Oglu Manizada (@manizada) Resources - "CVE-2024-41110 / GHSA-v23v-6jw2-98fq" (https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq)
Affected Packages
https://github.com/moby/moby.git (GITHUB):
Affected version(s) >=docker-v29.0.0-rc.1 <docker-v29.3.1Fix Suggestion:
Update to version docker-v29.3.1https://github.com/moby/moby.git (GITHUB):
Affected version(s) >=docker-v29.0.0-rc.1 <docker-v29.3.1Fix Suggestion:
Update to version docker-v29.3.1https://github.com/moby/moby.git (GITHUB):
Affected version(s) >=docker-v29.0.0-rc.1 <docker-v29.3.1Fix Suggestion:
Update to version docker-v29.3.1https://github.com/moby/moby.git (GITHUB):
Affected version(s) >=docker-v29.0.0-rc.1 <docker-v29.3.1Fix Suggestion:
Update to version docker-v29.3.1https://github.com/moby/moby.git (GITHUB):
Affected version(s) >=docker-v29.0.0-rc.1 <docker-v29.3.1Fix Suggestion:
Update to version docker-v29.3.1https://github.com/moby/moby.git (GITHUB):
Affected version(s) >=docker-v29.0.0-rc.1 <docker-v29.3.1Fix Suggestion:
Update to version docker-v29.3.1github.com/moby/moby/v2 (GO):
Affected version(s) >=v2.0.0-beta.0 <v2.0.0-beta.8Fix Suggestion:
Update to version v2.0.0-beta.8github.com/moby/moby/v2 (GO):
Affected version(s) >=v2.0.0-beta.0 <v2.0.0-beta.8Fix Suggestion:
Update to version v2.0.0-beta.8github.com/moby/moby/v2 (GO):
Affected version(s) >=v2.0.0-beta.0 <v2.0.0-beta.8Fix Suggestion:
Update to version v2.0.0-beta.8github.com/moby/moby/v2 (GO):
Affected version(s) >=v2.0.0-beta.0 <v2.0.0-beta.8Fix Suggestion:
Update to version v2.0.0-beta.8github.com/moby/moby/v2 (GO):
Affected version(s) >=v2.0.0-beta.0 <v2.0.0-beta.8Fix Suggestion:
Update to version v2.0.0-beta.8github.com/moby/moby/v2 (GO):
Affected version(s) >=v2.0.0-beta.0 <v2.0.0-beta.8Fix Suggestion:
Update to version v2.0.0-beta.8Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.3
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
8.8
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Incorrect Authorization
