DOCKER Engine has been disclosed with a high-severity vulnerability, CVE-2026-34040, that could let an attacker bypass authorization plugins under certain conditions. The flaw, which has a CVSS score of 8.8, stems from an incomplete fix for CVE-2024-41110 and could allow a specially crafted API request to forward to an AuthZ plugin without a body, enabling access that would have been denied.
The issue affects scenarios where a Docker API caller uses an AuthZ plugin that inspects the request body, potentially letting the plugin decisions be bypassed, and has been described as enabling a request to reach the plugin with privileged outcomes. The vulnerability was discovered by multiple researchers including Asim Viladi Oglu Manizada, Cody, Oleh Konko, and Vladimir Tokarev, and Docker Engine version 29.3.1 has patched the issue.
According to Cyera Research Labs researcher Tokarev, the root cause is the prior fix not handling oversized HTTP request bodies, which could allow a single padded HTTP request to create a privileged container with host file system access. In a hypothetical attack, padding a container creation request to more than 1MB could cause it to be dropped before reaching the AuthZ plugin, with potential access to credentials and cloud or production servers if the attacker can exploit the bypass.