Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access

2026-04-07

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

A high-severity Docker Engine vulnerability (CVE-2026-34040, CVSS 8.8) allows attackers to bypass authorization plugins and gain full host access.

•The flaw stems from an incomplete fix for CVE-2024-41110, failing to handle oversized HTTP request bodies (>1MB).
•An attacker with Docker API access can pad a container creation request to over 1MB, causing the body to be dropped before reaching the AuthZ plugin, which then allows the request.
•Exploiting this grants a privileged container with root-level host access, exposing AWS credentials, SSH keys, and Kubernetes configs.
•AI coding agents running in Docker-based sandboxes can be tricked via prompt injection or may independently discover and exploit the bypass during routine debugging tasks.
•

The vulnerability is patched in Docker Engine 29.3.1; workarounds include avoiding body-inspecting AuthZ plugins, restricting Docker API access, or running Docker in rootless mode.

Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

Guardrails at the gateway: Securing AI inference on GKE with Model Armor

EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallets

ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories

Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025