Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access

Summary

A high-severity vulnerability (CVE-2026-34040, CVSS 8.8) in Docker Engine allows attackers to bypass authorization (AuthZ) plugins by sending specially-crafted API requests with oversized bodies, stemming from an incomplete fix to CVE-2024-41110. The flaw enables privileged container creation with host file system access, exposing credentials, SSH keys, and Kubernetes configs. AI coding agents can be tricked or autonomously discover and exploit this vulnerability to compromise cloud accounts and production infrastructure.

Full text

Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Ravie LakshmananApr 07, 2026Vulnerability / DevSecOps A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July 2024. "Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body," Docker Engine maintainers said in an advisory released late last month. "The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it." "Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted." Multiple security vulnerabilities, including Asim Viladi Oglu Manizada, Cody, Oleh Konko, and Vladimir Tokarev, have been credited with independently discovering and reporting the bug. The issue has been patched in Docker Engine version 29.3.1. According to a report published by Cyera Research Labs researcher Tokarev, the vulnerability stems from the fact that the fix for CVE-2024-41110 did not properly handle oversized HTTP request bodies, thereby opening the door to a scenario where a single padded HTTP request can be used to create a privileged container with host file system access. In a hypothetical attack scenario, an attacker who has Docker API access restricted by an AuthZ plugin can undermine the mechanism by padding a container creation request to more than 1MB, causing it to be dropped before reaching the plugin. "The plugin allows the request because it sees nothing to block," Tokarev said in a report shared with The Hacker News. "The Docker daemon processes the full request and creates a privileged container with root access to the host: your AWS credentials, SSH keys, Kubernetes configs, and everything else on the machine. This works against every AuthZ plugin in the ecosystem." What's more, an artificial intelligence (AI) coding agent like OpenClaw running inside a Docker-based sandbox can be tricked into executing a prompt injection concealed within a specifically crafted GitHub repository as part of a regular developer workflow, resulting in the execution of malicious code that exploits CVE-2026-34040 to bypass authorization using the above approach and create a privileged container and mount the host file system. With this level of access in place, the attacker can extract credentials for cloud services, and abuse them to take control of cloud accounts, Kubernetes clusters, and even SSH into production servers. It doesn't end there. Cyera also cautioned that AI agents can figure out the bypass on their own and trigger it by constructing a padded HTTP request upon encountering errors when attempting to access files like kubeconfig as part of a legitimate debugging task issued by a developer (e.g., debug the K8s out-of-memory issue). This approach eliminates the need for planting a poisoned repository containing the malicious instructions. "AuthZ plugin denied the mount request," Cyera explained. "The agent has access to the Docker API and knows how HTTP works. CVE-2026-34040 doesn't require any exploit code, privilege, or special tools. It's a single HTTP request with extra padding. Any agent that can read Docker API documentation can construct it." As temporary workarounds, it's recommended to avoid using AuthZ plugins that rely on request body inspection for security decisions, limit access to the Docker API to trusted parties by following the principle of least privilege, or run Docker in rootless mode. "In rootless mode, even a privileged container's 'root' maps to an unprivileged host UID," Tokarev said. "The blast radius drops from 'full host compromise' to 'compromised unprivileged user.' For environments that can't go fully rootless, --userns-remap provides similar UID mapping." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  artificial intelligence, Cloud security, Container Security, cybersecurity, data breach, DevSecOps, Docker, Kubernetes, Vulnerability Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• cve — CVE-2026-34040
• cve — CVE-2024-41110

Entities