CVE-2026-33997
Modified Modified - Updated After Analysis

Privilege Validation Bypass in Moby Docker Plugin Installation

Vulnerability report for CVE-2026-33997, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-31

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-31
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-03-31
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
docker engine to 29.3.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-33997 is a security vulnerability in the Moby Docker Engine prior to version 29.3.1 that affects the plugin privilege validation mechanism during the docker plugin install process.

Due to an error in the daemon's privilege comparison logic, the Docker daemon may incorrectly accept a set of privileges requested by a plugin that differs from what the user approved.

Additionally, plugins that request exactly one privilege are affected because no comparison is performed at all in that case.

This flaw allows a malicious plugin to bypass the intended privilege approval process and potentially gain elevated permissions beyond what the user consented to.

Impact Analysis

If exploited, this vulnerability can allow a malicious plugin to gain elevated privileges beyond those approved by the user during plugin installation.

This can lead to significant confidentiality and integrity breaches, such as unauthorized access to sensitive data or unauthorized modification of system components.

However, exploitation requires user interaction (installing a malicious plugin) and has a high attack complexity.

Also, Docker Desktop does not support plugins, which reduces the attack surface for many users.

Detection Guidance

This vulnerability occurs during the docker plugin install process when the daemon incorrectly validates plugin privileges. Detection involves verifying the Docker Engine version and monitoring plugin installation activities.

  • Check the Docker Engine version to ensure it is 29.3.1 or later, as versions prior to this are vulnerable.
  • Review logs for plugin installation attempts, especially those involving plugins requesting exactly one privilege, since these are affected.
  • Use the command `docker version` to determine the installed Docker Engine version.
  • Use `docker plugin ls` to list installed plugins and verify their privileges manually if possible.
Mitigation Strategies

The primary mitigation step is to upgrade the Docker Engine to version 29.3.1 or later, where the vulnerability has been patched.

Avoid installing untrusted or unknown Docker plugins, as exploitation requires user interaction during plugin installation.

If upgrading immediately is not possible, restrict plugin installation permissions to trusted administrators only.

Compliance Impact

This vulnerability allows a malicious plugin to bypass the intended privilege approval process during Docker plugin installation, potentially gaining elevated permissions beyond what the user consented to.

Such unauthorized privilege escalation can lead to significant confidentiality and integrity breaches, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict controls over data access and integrity.

However, exploitation requires user interaction (installing a malicious plugin), and Docker Desktop does not support plugins, which reduces the attack surface.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33997. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart