What is the CVSS score of CVE-2026-34040?

CVE-2026-34040 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Docker Engine are affected by CVE-2026-34040?

A vulnerability in Docker Engine allows attackers to bypass access control policies enforced by authorization plugins, potentially enabling unauthorized API operations.. A patch is available.

Is there a public PoC exploit available for CVE-2026-34040?

Yes, a public proof-of-concept exploit is available for CVE-2026-34040. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-34040?

Within 24 hours: Identify all Docker Engine deployments using AuthZ plugins and assess exposure scope. Within 7 days: Obtain patch available per vendor advisory, test in non-production with your AuthZ plugin configuration, and develop rollout plan. Within 30 days: Deploy patch to all affected Docker Engine instances and validate that AuthZ plugin enforcement remains functional.

Docker Engine CVE-2026-34040

HIGH

Incorrect Authorization (CWE-863)

2026-03-27 https://github.com/moby/moby

GHSA-x744-4wpc-v9h2

Docker Authentication Bypass

7.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.8 HIGH

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

7.8 HIGH

Docker API is typically local (AV:L), low-priv API client suffices (PR:L), crafted request is trivial (AC:L), and AuthZ bypass yields full container/host control (C:H/I:H/A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SUSE

8.8 HIGH

AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Red Hat

8.4 MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Jun 16, 2026 - 14:59 vuln.today

v3 (cvss_changed)

Source Code Evidence Fetched

Jun 16, 2026 - 14:59 vuln.today

Analysis Updated

Jun 16, 2026 - 14:59 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 16, 2026 - 14:52 vuln.today

cvss_changed

CVSS changed

Jun 16, 2026 - 14:52 NVD

8.8 (HIGH) 7.8 (HIGH)

Analysis Generated

Mar 27, 2026 - 18:00 vuln.today

Patch released

Mar 27, 2026 - 18:00 nvd

Patch available

CVE Published

Mar 27, 2026 - 17:43 nvd

HIGH 8.8

DescriptionNVD

Summary

A security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.

This is an incomplete fix for CVE-2024-41110.

Impact

If you don't use AuthZ plugins, you are not affected.

Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body. The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.

Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted.

Workarounds

If unable to update immediately:

Avoid using AuthZ plugins that rely on request body inspection for security decisions.
Restrict access to the Docker API to trusted parties, following the principle of least privilege.

Credits

1seal / Oleh Konko (@1seal)
Cody (c@wormhole.guru)
Asim Viladi Oglu Manizada (@manizada)

Resources

CVE-2024-41110 / GHSA-v23v-6jw2-98fq

AnalysisAI

Authorization bypass in Docker Engine (moby) allows API clients to evade AuthZ plugin policy decisions by issuing requests whose body is not forwarded to the plugin, causing it to approve operations it would otherwise deny. This is an incomplete-fix regression of CVE-2024-41110 affecting deployments that rely on AuthZ plugins inspecting request bodies; publicly available exploit code exists but EPSS is 0.01% and SSVC exploitation status is 'none'.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain Docker API access at PR:L

Delivery

Identify AuthZ plugin in use

Exploit

Craft API request stripping body forwarding

Execution

Plugin evaluates incomplete request and allows

Persist

Daemon executes full-body operation (e.g., privileged container create)

Impact

Escape to host root

Access

Obtain Docker API access at PR:L

Delivery

Identify AuthZ plugin in use

Exploit

Craft API request stripping body forwarding

Execution

Plugin evaluates incomplete request and allows

Persist

Daemon executes full-body operation (e.g., privileged container create)

Impact

Escape to host root

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) Docker Engine deployed with an authorization plugin enabled via --authorization-plugin that makes policy decisions based on inspecting the HTTP request body (e.g., container create payloads, bind-mount specifications, capability lists) - hosts without an AuthZ plugin are explicitly not affected per the vendor; (2) the attacker must already be able to reach the Engine API (local unix socket, TCP endpoint, or a delegated client cert) at PR:L privilege per the CVSS vector; (3) the attacker must be able to issue an HTTP API request that triggers the body-stripping path (zero-length / specific Content-Length manipulation against the legacy drainBody logic). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals diverge sharply: CVSS 7.8 (High) with C:H/I:H/A:H and SSVC Technical Impact 'total' indicate severe consequences when exploitable, but exploitation is gated on the operator actually running an AuthZ plugin that uses body introspection - a deliberately enabled, non-default configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A low-privileged Docker API client on a host protected by an AuthZ plugin sends a crafted API call (for example POST /containers/create with a privileged/host-mount payload) using Content-Length: 0 or otherwise inducing the daemon to forward the request to the plugin without the body. The plugin, seeing only the URL and headers, approves the call, but dockerd then executes the real request body and creates the privileged container, granting the attacker root on the host. …
Remediation	Vendor-released patch: upgrade Docker Engine to docker-v29.3.1 or later (https://github.com/moby/moby/releases/tag/docker-v29.3.1); SUSE users can apply SUSE-SU-2026:1205 (https://www.suse.com/support/update/SUSE-SU-2026:1205/). … Detailed patch versions, workarounds, and compensating controls in full report.