A high-severity security vulnerability has been disclosed in Docker Engine that would allow an attacker to bypass authorization plugins (AuthZ) below particular circumstances.
The vulnerability, tracked as CVE-2026-34040 (CVSS rating: 8.8), stems from an incomplete repair for CVE-2024-41110, a maximum-severity vulnerability in the identical part that got here to gentle in July 2024.
“Utilizing a specially-crafted API request, an attacker may make the Docker daemon ahead the request to an authorization plugin with out the physique,” Docker Engine maintainers stated in an advisory launched late final month. “The authorization plugin could permit a request which it will have in any other case denied if the physique had been forwarded to it.”
“Anybody who is dependent upon authorization plugins that introspect the request physique to make entry management selections is probably impacted.”
A number of security vulnerabilities, together with Asim Viladi Oglu Manizada, Cody, Oleh Konko, and Vladimir Tokarev, have been credited with independently discovering and reporting the bug. The concern has been patched in Docker Engine model 29.3.1.
In line with a report printed by Cyera Analysis Labs researcher Tokarev, the vulnerability stems from the truth that the repair for CVE-2024-41110 didn’t correctly deal with outsized HTTP request our bodies, thereby opening the door to a state of affairs the place a single padded HTTP request can be utilized to create a privileged container with host file system entry.
In a hypothetical assault state of affairs, an attacker who has Docker API entry restricted by an AuthZ plugin can undermine the mechanism by padding a container creation request to greater than 1MB, inflicting it to be dropped earlier than reaching the plugin.
“The plugin permits the request as a result of it sees nothing to dam,” Tokarev stated in a report shared with The Hacker Information. “The Docker daemon processes the total request and creates a privileged container with root entry to the host: your AWS credentials, SSH keys, Kubernetes configs, and every little thing else on the machine. This works towards each AuthZ plugin within the ecosystem.”
What’s extra, a man-made intelligence (AI) coding agent like OpenClaw operating inside a Docker-based sandbox might be tricked into executing a immediate injection hid inside a particularly crafted GitHub repository as a part of an everyday developer workflow, ensuing within the execution of malicious code that exploits CVE-2026-34040 to bypass authorization utilizing the above method and create a privileged container and mount the host file system.
With this degree of entry in place, the attacker can extract credentials for cloud providers, and abuse them to take management of cloud accounts, Kubernetes clusters, and even SSH into manufacturing servers.
It would not finish there. Cyera additionally cautioned that AI brokers can work out the bypass on their personal and set off it by establishing a padded HTTP request upon encountering errors when trying to entry recordsdata like kubeconfig as a part of a reliable debugging activity issued by a developer (e.g., debug the K8s out-of-memory concern). This method eliminates the necessity for planting a poisoned repository containing the malicious directions.
“AuthZ plugin denied the mount request,” Cyera defined. “The agent has entry to the Docker API and is aware of how HTTP works. CVE-2026-34040 would not require any exploit code, privilege, or particular instruments. It is a single HTTP request with additional padding. Any agent that may learn Docker API documentation can assemble it.”
As non permanent workarounds, it is really useful to keep away from utilizing AuthZ plugins that depend on request physique inspection for security selections, restrict entry to the Docker API to trusted events by following the precept of least privilege, or run Docker in rootless mode.
“In rootless mode, even a privileged container’s ‘root’ maps to an unprivileged host UID,” Tokarev stated. “The blast radius drops from ‘full host compromise’ to ‘compromised unprivileged person.’ For environments that may’t go absolutely rootless, –userns-remap gives comparable UID mapping.”
