A high-severity security vulnerability has been disclosed in Docker Engine that could allow an attacker to bypass the authentication plugin (AuthZ) under certain circumstances.
This vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), results from an incomplete remediation of CVE-2024-41110, the highest severity vulnerability in the same component that was disclosed in July 2024.
“An attacker could use a specially crafted API request to cause the Docker daemon to forward the request to the authorization plugin without the body,” Docker Engine maintainers said in an advisory released late last month. “Authorization plugins may allow requests that would have been denied if the body had been forwarded.”
“Those who rely on authorization plugins that introspect the request body to make access control decisions are potentially affected.”
Multiple security vulnerabilities are credited with independently discovering and reporting this bug, including Asim Viladi Oglu Manizada, Cody, Oleh Konko, and Vladimir Tokarev. This issue has been patched in Docker Engine version 29.3.1.
According to a report published by Cyera Research Labs researcher Tokarev, the vulnerability stems from the fact that the fix for CVE-2024-41110 did not properly handle HTTP request bodies that are too large, thus opening the door to a scenario where a single padded HTTP request could be used to create a privileged container with access to the host file system.
In a hypothetical attack scenario, an attacker whose Docker API access is restricted by the AuthZ plugin could pad the container creation request to more than 1MB, weakening the mechanism and causing the container creation request to be dropped before it reaches the plugin.
“The plugin does not find anything to block, so it allows the request,” Tokarev said in a report shared with Hacker News. “The Docker daemon handles the entire request and creates a privileged container with root access to the host (AWS credentials, SSH keys, Kubernetes configuration, and everything else on the machine). This works for all AuthZ plugins in the ecosystem.”
Additionally, artificial intelligence (AI) coding agents like OpenClaw running within a Docker-based sandbox can be tricked into performing hidden prompt injections within specially created GitHub repositories as part of their normal developer workflow, resulting in the execution of malicious code that exploits CVE-2026-34040, bypassing authentication using the approaches described above, and creating privileged containers to host files. Mount the system.
With this level of access in place, attackers can extract cloud service credentials and use them to gain control over SSH to cloud accounts, Kubernetes clusters, and even production servers.
That’s not the end. Cyera also warned that if an error occurs while attempting to access a file such as kubeconfig as part of a legitimate debugging task issued by a developer (such as debugging an out-of-memory issue on K8s), the AI agent could figure out a bypass on its own and trigger a bypass by constructing a padded HTTP request. This approach eliminates the need to plant contaminated repositories containing malicious instructions.
“The AuthZ plugin rejected the mount request,” Cyera explained. “Agents have access to the Docker API and know how HTTP works. CVE-2026-34040 requires no exploit code, privileges, or special tools. It is a single HTTP request with additional padding. It can be constructed by any agent who can read the Docker API documentation.”
As a temporary workaround, we recommend avoiding the use of AuthZ plugins that rely on request body inspection for security decisions, restricting access to the Docker API to trusted parties following the principle of least privilege, or running Docker in rootless mode.
“In rootless mode, even the ‘root’ of a privileged container is mapped to an unprivileged host UID,” Tokarev said. “The explosion range goes from ‘Complete Host Compromise’ to ‘Unprivileged User Compromise.’ For environments that cannot be completely rootless, –userns-remap provides similar UID mapping. ”
Source link
