CVE-2026-33997
Privilege Validation Bypass in Moby Docker Plugin Installation
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mobyproject | moby | to 29.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-193 | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33997 is a security vulnerability in the Moby Docker Engine prior to version 29.3.1 that affects the plugin privilege validation mechanism during the docker plugin install process.
Due to an error in the daemon's privilege comparison logic, the Docker daemon may incorrectly accept a set of privileges requested by a plugin that differs from what the user approved.
Additionally, plugins that request exactly one privilege are affected because no comparison is performed at all in that case.
This flaw allows a malicious plugin to bypass the intended privilege approval process and potentially gain elevated permissions beyond what the user consented to.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow a malicious plugin to gain elevated privileges beyond those approved by the user during plugin installation.
This can lead to significant confidentiality and integrity breaches, such as unauthorized access to sensitive data or unauthorized modification of system components.
However, exploitation requires user interaction (installing a malicious plugin) and has a high attack complexity.
Also, Docker Desktop does not support plugins, which reduces the attack surface for many users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs during the docker plugin install process when the daemon incorrectly validates plugin privileges. Detection involves verifying the Docker Engine version and monitoring plugin installation activities.
- Check the Docker Engine version to ensure it is 29.3.1 or later, as versions prior to this are vulnerable.
- Review logs for plugin installation attempts, especially those involving plugins requesting exactly one privilege, since these are affected.
- Use the command `docker version` to determine the installed Docker Engine version.
- Use `docker plugin ls` to list installed plugins and verify their privileges manually if possible.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Docker Engine to version 29.3.1 or later, where the vulnerability has been patched.
Avoid installing untrusted or unknown Docker plugins, as exploitation requires user interaction during plugin installation.
If upgrading immediately is not possible, restrict plugin installation permissions to trusted administrators only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a malicious plugin to bypass the intended privilege approval process during Docker plugin installation, potentially gaining elevated permissions beyond what the user consented to.
Such unauthorized privilege escalation can lead to significant confidentiality and integrity breaches, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict controls over data access and integrity.
However, exploitation requires user interaction (installing a malicious plugin), and Docker Desktop does not support plugins, which reduces the attack surface.