DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34040: CVE-2026-34040: Authorization Bypass via Oversized Request Body in Moby (Docker Engine)

#security #cve #cybersecurity

CVE-2026-34040: Authorization Bypass via Oversized Request Body in Moby (Docker Engine)

Vulnerability ID: CVE-2026-34040
CVSS Score: 8.8
Published: 2026-03-31

Moby (Docker Engine) before version 29.3.1 suffers from a high-severity authorization bypass vulnerability (CVE-2026-34040) due to insecure handling of oversized request bodies within its AuthZ plugin framework. An attacker with Docker API access can bypass implemented security policies by sending a payload larger than 1MB. The Docker daemon passes an empty body to the authorization plugin while subsequently executing the malicious, oversized payload, leading to potential unauthorized privilege escalation and host compromise.

TL;DR

Docker Engine < 29.3.1 allows attackers to bypass AuthZ plugins by padding API requests to exceed 1MB. The daemon sends an empty request body to the plugin for validation but executes the original malicious payload. Version 29.3.1 fixes this by rejecting requests exceeding 4MiB.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-288
  • Attack Vector: Local
  • CVSS Score: 8.8
  • EPSS Score: 0.00014
  • Exploit Status: Proof of Concept
  • CISA KEV Status: Not Listed

Affected Systems

  • Docker Desktop
  • Docker Engine on Linux
  • AWS Amazon Linux
  • Wolfi
  • Chainguard
  • Moby (Docker Engine): < 29.3.1 (Fixed in: 29.3.1)

Code Analysis

Commit: e89edb1

Fix AuthZ plugin bypass by introducing fail-closed logic for oversized request bodies

Mitigation Strategies

  • Upgrade Docker Engine to version 29.3.1 or later
  • Restrict access to the Docker API socket (/var/run/docker.sock) to highly trusted users
  • Implement secondary controls like AppArmor, Seccomp, and User Namespaces

Remediation Steps:

  1. Identify all hosts running vulnerable versions of Docker Engine/Moby
  2. Deploy the updated package for version 29.3.1 via the respective package manager
  3. Restart the Docker daemon to apply the updated binary
  4. Review Docker API logs for unusually large requests indicating past exploitation attempts

References

Read the full report for CVE-2026-34040 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)