Docker fixes high-severity AuthZ bypass that can let attackers sidestep API policy checks

Docker has fixed a high-severity Docker Engine vulnerability that can let attackers bypass authorization plugins under specific conditions. The flaw, tracked as CVE-2026-34040, affects Moby and Docker Engine before version 29.3.1 and ties back to an incomplete fix for CVE-2024-41110.

The bug matters only if an environment uses Docker authorization plugins, also called AuthZ plugins. Docker’s own documentation says these plugins inspect request context, including the request body for supported content types, to allow or deny Docker daemon actions.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

GitHub’s advisory says an attacker can send a specially crafted oversized API request that reaches the authorization plugin without the body attached. If the plugin depends on that body to make an access-control decision, it may approve a request it should have blocked.

Who is affected and who is not

If you do not use AuthZ plugins, this flaw does not affect you. GitHub’s advisory states that directly, and Docker’s release notes frame the issue as an AuthZ-plugin bypass rather than a general Docker daemon compromise that hits every setup.

If you do use AuthZ plugins, the real risk depends on how those plugins enforce policy. Environments that rely on request-body inspection for sensitive decisions face the highest exposure because that missing body can blind the plugin at the exact moment it needs to evaluate a dangerous request.

The scoring still varies by source. GitHub rates the issue 8.8 High, while NVD currently shows a 7.8 High base score under its own assessment. Both agree the bug is serious and patched in 29.3.1.

What Docker changed

Docker fixed the issue in Docker Engine 29.3.1. Docker’s official Engine 29 release notes list CVE-2026-34040 under the 29.3.1 security fixes and describe it as an authorization bypass in AuthZ plugins under specific conditions.

The GitHub advisory also lists versions below 29.3.1 as affected for github.com/docker/docker and github.com/moby/moby. For github.com/moby/moby/v2, it lists versions below 2.0.0-beta.8 as affected and 2.0.0-beta.8 as patched.

NVD matches the main version guidance and says Moby before 29.3.1 contains the flaw. That gives admins a clear upgrade target even if they track the issue through different vulnerability feeds.

Quick breakdown

Sources: Docker advisory, Docker release notes, NVD.

What admins should do now

• Upgrade Docker Engine to 29.3.1 or later. Docker’s release notes mark that version as the fix point for CVE-2026-34040.
• Review whether your environment uses --authorization-plugin and whether the plugin depends on request-body inspection for access decisions. Docker’s AuthZ documentation explains how that flow works.
• Restrict Docker API access to trusted users and systems only. The advisory says exploitation needs access to the Docker API path guarded by those plugins.
• Apply least privilege across container and daemon access. That limits damage if someone reaches the API with low privileges. NVD’s vector also assumes low privileges and local access rather than anonymous remote internet access.

FAQ