Executive Summary

CVE-2026-34040 is a high-severity security vulnerability in Docker Engine versions prior to 29.3.1 that allows attackers to bypass authorization plugins (AuthZ).

The vulnerability occurs because the Docker daemon forwards API requests to the AuthZ plugin without including the request body. Attackers can send specially crafted API requests with an oversized request body, causing the AuthZ plugin to not see the full request content.

As a result, AuthZ plugins that rely on inspecting the request body to make access control decisions may incorrectly allow unauthorized requests.

This issue is an incomplete fix of an earlier vulnerability (CVE-2024-41110) and was fixed in Docker Engine version 29.3.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts because it allows attackers with local access and low privileges to bypass authorization controls.

The attacker can perform unauthorized actions on the Docker Engine by exploiting the bypass in AuthZ plugins, potentially leading to full compromise of confidentiality, integrity, and availability of the system.

Since the vulnerability requires no user interaction and has a low attack complexity, it poses a significant risk to affected systems.

• Unauthorized access to container management functions.
• Potential execution of unauthorized commands or operations.
• Compromise of sensitive data or disruption of containerized services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves attackers sending specially crafted API requests with an oversized request body to bypass authorization plugins. Detection would involve monitoring Docker API requests for unusual or oversized request bodies that could be attempting to exploit this bypass.

Since the vulnerability affects Docker Engine versions prior to 29.3.1 and involves the forwarding of incomplete request bodies to AuthZ plugins, you can check your Docker Engine version with the command:

• docker version

To detect suspicious API requests, you could enable detailed Docker daemon logs and monitor for requests with unusually large or malformed bodies. For example, you might use network monitoring tools like tcpdump or Wireshark to capture Docker API traffic on the local socket or network interface.

• sudo tcpdump -i any port 2375 or port 2376

Additionally, reviewing logs for AuthZ plugin denials or anomalies could help identify attempts to exploit this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Docker Engine to version 29.3.1 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, workarounds include avoiding the use of AuthZ plugins that depend on inspecting the request body for access control decisions.

Additionally, restrict Docker API access to trusted parties only, following the principle of least privilege to reduce the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to bypass authorization plugins by exploiting the forwarding of incomplete request data, potentially leading to unauthorized access to sensitive container operations.

Such unauthorized access can compromise confidentiality, integrity, and availability of data and systems, which are critical requirements under standards like GDPR and HIPAA.

Organizations relying on affected Docker Engine versions and AuthZ plugins that inspect request bodies may face increased risk of data breaches or unauthorized actions, thereby impacting their compliance posture.

Mitigations include upgrading to Docker Engine version 29.3.1 and restricting API access to trusted parties, which help maintain compliance by reducing the risk of unauthorized access.

Useful 0 Not Useful 0