Overview
The vulnerability lies in how the Docker daemon handles large HTTP request bodies when interacting with Authorization Plugins (AuthZ) such as OPA or Prisma Cloud. By sending a request larger than 1MB, an attacker can trick the daemon into forwarding an empty request body to the security plugin. The plugin, seeing an empty body, may permit the action, but the daemon then executes the original (full) malicious request.
Impact and Risk Assessment
Risk Level: High
CVSS Score: 8.8 (CVSS v3.1)
Vectors: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score: 0.01% (Rising as PoCs circulate)
Disclosed in late March 2026, it is an “incomplete fix” regression of the high-severity CVE-2024-41110. It allows an attacker with access to the Docker API to bypass third-party authorization plugins (AuthZ) to gain full host-level root access.
Reason for Risk Level
No complex chaining or race conditions are required; a single padded HTTP request triggers the flaw. A low-privilege user with limited API access can escalate to root on the host.
Docker is foundational infrastructure, meaning any environment relying on AuthZ plugins for multi-tenancy or security (e.g., CI/CD pipelines) is vulnerable.
Impact
Attackers can create privileged containers that mount the host filesystem.
Direct bypass of the “last line of defense” (AuthZ) allows for immediate escape to the host.
Vulnerability Details
Docker’s middleware silently truncates API request bodies that exceed 1MB before passing them to the AuthZ plugin. However, the daemon continues to process the full original request. If a plugin’s security decision depends on inspecting the request body (e.g., “Is this container privileged?”), it will see an empty body, find nothing to block, and return an “Allow” response.
Affected Products, Systems, and Versions:
- All versions of Moby (Docker Engine) prior to 29.3.1.
- All versions of Docker Desktop prior to 29.3.1.
- Systems and environments using AuthZ Plugins and utilizing OPA (Open Policy Agent), Prisma Cloud, or custom plugins for Docker API access control.
Attack Vector and Exploitation Scenario
The attacker has local or network access to a Docker API (often via a developer machine or a CI/CD runner) and then proceeds to craft a request to /containers/create with a body greater than one megabyte (1MB). The first megabyte is “padding,” and the actual malicious instruction (e.g., “Privileged”: true) is placed at the end.
The Docker daemon sends a truncated/empty body to the AuthZ plugin.
The plugin approves the “empty” request. The daemon then creates the privileged container, allowing the attacker to mount / and take over the host.
Additionally, an artificial intelligence (AI) coding agent like OpenClaw running inside a Docker-based sandbox can be tricked into executing a prompt injection concealed within a specially crafted GitHub repository as part of a regular developer workflow. This results in the execution of malicious code that exploits CVE-2026-34040 to bypass authorization using the above approach, create a privileged container, and mount the host file system.
MITRE ATT&CK Mapping (CVE-2026-34040)
| Tactic | Technique ID | Technique Name | Observed Behavior in CVE-2026-34040 |
| Initial Access | T1190 | Exploit Public-Facing Application | Exploiting the Docker API endpoint. |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Using the bypass to create a privileged container. |
| Privilege Escalation | T1611 | Escape to Host | Mounting the host filesystem from the privileged container. |
| Defense Evasion | T1562.001 | Impair Defenses: Disable/Modify Tools | Bypassing AuthZ plugins (e.g., OPA). |
| Credential Access | T1552.001 | Credentials in Files | Searching the host for .aws/credentials or SSH keys. |
Exploit Status
- Public PoC: Detailed technical write-ups are available (notably from Cyera Research).
- Active Exploitation: Observed in the wild; specifically, AI coding agents (like OpenClaw) have been observed accidentally or maliciously triggering the bypass during automated debugging tasks.
- Weaponization: Integrated into several private exploit kits targeting cloud-native environments.
Operational Implication
This is a “blind spot” vulnerability. Because the AuthZ plugin approves the request, traditional security logs may show the action as “Authorized,” making it extremely difficult to distinguish from legitimate administrative activity.
With that level of access, the attacker can extract credentials for cloud services and abuse them to take control of cloud accounts, Kubernetes clusters, and even SSH into production servers.
Mitigation and Recommendations
- Upgrade Docker Engine to version 29.3.1 or later.
- Run Docker in rootless mode. This significantly reduces the blast radius, mapping “root” inside the container to an unprivileged user on the host.
- Restrict access to the Docker socket (/var/run/docker.sock) and use TLS with client certificate authentication for network-exposed APIs.
Detection and Monitoring Guidance
- Look for HTTP POST or PUT requests to the Docker API that have a Content-Length significantly larger than their usual baseline (specifically >1,048,576 bytes).
- Alert on the creation of any privileged containers or containers mounting sensitive host paths (e.g., /etc, /root, .ssh).
- Monitor for low-privilege users or AI agents executing docker run –privileged.
References
https://thehackernews.com/2026/04/docker-cve-2026-34040-lets-attackers.html
https://nvd.nist.gov/vuln/detail/CVE-2026-34040
https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2