CVE-2026-33997
Received Received - Intake
Privilege Validation Bypass in Moby Docker Plugin Installation

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33997
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mobyproject moby to 29.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33997 is a security vulnerability in the Moby Docker Engine prior to version 29.3.1 that affects the plugin privilege validation mechanism during the docker plugin install process.

Due to an error in the daemon's privilege comparison logic, the Docker daemon may incorrectly accept a set of privileges requested by a plugin that differs from what the user approved.

Additionally, plugins that request exactly one privilege are affected because no comparison is performed at all in that case.

This flaw allows a malicious plugin to bypass the intended privilege approval process and potentially gain elevated permissions beyond what the user consented to.

Impact Analysis

If exploited, this vulnerability can allow a malicious plugin to gain elevated privileges beyond those approved by the user during plugin installation.

This can lead to significant confidentiality and integrity breaches, such as unauthorized access to sensitive data or unauthorized modification of system components.

However, exploitation requires user interaction (installing a malicious plugin) and has a high attack complexity.

Also, Docker Desktop does not support plugins, which reduces the attack surface for many users.

Detection Guidance

This vulnerability occurs during the docker plugin install process when the daemon incorrectly validates plugin privileges. Detection involves verifying the Docker Engine version and monitoring plugin installation activities.

  • Check the Docker Engine version to ensure it is 29.3.1 or later, as versions prior to this are vulnerable.
  • Review logs for plugin installation attempts, especially those involving plugins requesting exactly one privilege, since these are affected.
  • Use the command `docker version` to determine the installed Docker Engine version.
  • Use `docker plugin ls` to list installed plugins and verify their privileges manually if possible.
Mitigation Strategies

The primary mitigation step is to upgrade the Docker Engine to version 29.3.1 or later, where the vulnerability has been patched.

Avoid installing untrusted or unknown Docker plugins, as exploitation requires user interaction during plugin installation.

If upgrading immediately is not possible, restrict plugin installation permissions to trusted administrators only.

Compliance Impact

This vulnerability allows a malicious plugin to bypass the intended privilege approval process during Docker plugin installation, potentially gaining elevated permissions beyond what the user consented to.

Such unauthorized privilege escalation can lead to significant confidentiality and integrity breaches, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict controls over data access and integrity.

However, exploitation requires user interaction (installing a malicious plugin), and Docker Desktop does not support plugins, which reduces the attack surface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart