{"id":527,"date":"2026-04-07T16:30:18","date_gmt":"2026-04-07T16:30:18","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=527"},"modified":"2026-04-07T16:30:18","modified_gmt":"2026-04-07T16:30:18","slug":"docker-cve-2026-34040-lets-attackers-bypass-authorization-and-gain-host-access","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=527","title":{"rendered":"Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 07, 2026<\/span><\/span>Vulnerability \/ DevSecOps<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins\u00a0(AuthZ<\/a>) under specific circumstances.<\/p>\n

The vulnerability, tracked\u00a0as CVE-2026-34040<\/strong> (CVSS score: 8.8), stems from an incomplete fix\u00a0for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July\u00a02024.<\/p>\n

\u00abUsing a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body,\u00bb Docker Engine maintainers said<\/a> in an advisory released late last month. \u00abThe authorization plugin may allow a\u00a0request which\u00a0it would have otherwise denied if the body had been forwarded to\u00a0it.\u00bb<\/p>\n

\u00abAnyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted.\u00bb<\/p>\n

Multiple security vulnerabilities, including Asim Viladi Oglu Manizada, Cody, Oleh Konko, and Vladimir Tokarev, have been credited with independently discovering and reporting the bug. The\u00a0issue has been patched in Docker Engine version\u00a029.3.1.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

According to a report published by Cyera Research Labs researcher Tokarev, the vulnerability stems from the fact that the fix for CVE-2024-41110 did not properly handle oversized HTTP request bodies, thereby opening the door to a scenario where a single padded HTTP request can be used to create a privileged container with host file system\u00a0access.<\/p>\n

In a hypothetical attack scenario, an attacker who has Docker API access restricted by an AuthZ plugin can undermine the mechanism by padding a container creation request to more than 1MB, causing it to be dropped before reaching the\u00a0plugin.<\/p>\n

\"\"<\/a><\/div>\n

\u00abThe plugin allows the request because it sees nothing to block,\u00bb\u00a0Tokarev said<\/a> in a report shared with The Hacker News. \u00abThe Docker daemon processes the full request and creates a privileged container with root access to the host: your AWS credentials, SSH keys, Kubernetes configs, and everything else on the machine. This\u00a0works against every AuthZ plugin in the ecosystem.\u00bb<\/p>\n

What’s more, an artificial intelligence (AI) coding agent\u00a0like OpenClaw running inside a Docker-based\u00a0sandbox<\/a> can be tricked into executing a prompt injection concealed within a specifically crafted GitHub repository as part of a regular developer workflow, resulting in the execution of malicious code that exploits CVE-2026-34040 to bypass authorization using the above approach and create a privileged container and mount the host file\u00a0system.<\/p>\n

\"\"<\/a><\/div>\n

With this level of access in place, the attacker can extract credentials for\u00a0cloud services, and abuse them to take control of cloud accounts, Kubernetes clusters, and even SSH into production\u00a0servers.<\/p>\n

It doesn’t end there. Cyera\u00a0also cautioned that AI agents\u00a0can figure out the bypass on their\u00a0own<\/a> and trigger it by constructing a padded HTTP request upon encountering errors when attempting to access files\u00a0like kubeconfig<\/a> as part of a legitimate debugging task issued by a developer (e.g., debug the K8s out-of-memory issue). This\u00a0approach eliminates the need for planting a poisoned repository containing the malicious instructions.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abAuthZ plugin denied the mount request,\u00bb Cyera explained. \u00abThe agent has access to the Docker API and knows how HTTP works. CVE-2026-34040 doesn’t require any exploit code, privilege, or special tools. It’s a single HTTP request with extra padding. Any\u00a0agent that can read Docker API documentation can construct\u00a0it.\u00bb<\/p>\n

As temporary workarounds, it’s recommended to avoid using AuthZ plugins that rely on request body inspection for security decisions, limit access to the Docker API to trusted parties by following the principle of least privilege, or run Docker\u00a0in rootless\u00a0mode<\/a>.<\/p>\n

\u00abIn rootless mode, even a privileged container’s ‘root’ maps to an unprivileged host UID,\u00bb Tokarev said. \u00abThe blast radius drops from ‘full host compromise’ to ‘compromised unprivileged user.’ For environments that can’t go fully rootless, –userns-remap provides similar UID\u00a0mapping.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 07, 2026Vulnerability \/ DevSecOps A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins\u00a0(AuthZ) under specific circumstances. The vulnerability,…<\/p>\n","protected":false},"author":1,"featured_media":528,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[130,622,1108,394,1107,136,580,1109,332],"class_list":["post-527","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-access","tag-attackers","tag-authorization","tag-bypass","tag-cve202634040","tag-docker","tag-gain","tag-host","tag-lets"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=527"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/527\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/528"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}