A significant security vulnerability has been uncovered in Docker Engine that may allow attackers to circumvent authorization plugins under certain circumstances. This issue is assigned the identifier CVE-2026-34040, with a critical CVSS score of 8.8. The flaw arises from an incomplete resolution of CVE-2024-41110, which was a severe vulnerability discovered in July 2024.
The Docker Engine maintainers issued a statement warning that using a specially crafted API request can enable attackers to make the Docker daemon forward requests to an authorization plugin without the request body. This discrepancy could result in an authorization plugin inadvertently permitting a request it would normally block, had the body been sent along.
“Organizations relying on authorization plugins that analyze request bodies may be at risk,” the advisory noted. Multiple cybersecurity researchers, including Asim Viladi Oglu Manizada, Cody, Oleh Konko, and Vladimir Tokarev, are credited with the discovery and reporting of this vulnerability. The issue has been patched in Docker Engine version 29.3.1.
As reported by Cyera Research Labs, the vulnerability arises due to improper handling of oversized HTTP request bodies in the fix for CVE-2024-41110. This flaw potentially opens an avenue for attackers to create privileged containers with access to host file systems using a single padded HTTP request.
In a potential attack scenario, an individual with restricted Docker API access, governed by an authorization plugin, can exploit this vulnerability. By crafting a container creation request larger than 1MB, the request can be dropped prior to reaching the plugin for inspection.
Tokarev elaborated that the plugin allows the request to proceed because it fails to detect any obstructive content. Consequently, the Docker daemon processes the entire request, leading to the creation of a privileged container with root access to the host system. This scenario unveils sensitive items like AWS credentials, SSH keys, and Kubernetes configurations stored on the machine.
AI coding tools like OpenClaw could be manipulated into executing prompt injections embedded within particularly crafted GitHub repositories. This could enable attackers to use CVE-2026-34040 to bypass existing authorizations and establish privileged containers, thus mounting host file systems.
With unauthorized access to this level, attackers can extract cloud service credentials and use them to seize control over cloud accounts and Kubernetes clusters, and can SSH into production servers. Furthermore, AI agents could autonomously discover and trigger this bypass by engineering padded HTTP requests while troubleshooting legitimate access issues such as those related to kubeconfig. This capability reduces the need for malicious repositories.
Cyera’s analysis indicates that this incident falls under the MITRE ATT&CK Matrix’s tactics of initial access and privilege escalation, illustrating the complexity of modern cyber threats. Temporary measures include avoiding authorization plugins dependent on request body for security, confining Docker API access to trusted users, and operating Docker in rootless mode.
In rootless mode, the potential for full host compromise diminishes significantly, limiting it to that of a compromised unprivileged user. For environments unable to fully transition to rootless operations, utilizing the –userns-remap feature provides an alternative for UID mapping.