A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins (AuthZ) under specific circumstances.

The vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July 2024.

“Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body,” Docker Engine maintainers said in an advisory released late last month. “The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.”

“Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted.”

Multiple security vulnerabilities, including Asim Viladi Oglu Manizada, Cody, Oleh Konko, and Vladimir Tokarev, have been credited with independently discovering and reporting the bug. The issue has been patched in Docker Engine version 29.3.1.

According to a report published by Cyera Research Labs researcher Tokarev, the vulnerability stems from the fact that the fix for CVE-2024-41110 did not properly handle oversized HTTP request bodies, thereby opening the door to a scenario where a single padded HTTP request can be used to create a privileged container with host file system access.

In a hypothetical attack scenario, an attacker who has Docker API access restricted by an AuthZ plugin can undermine the mechanism by padding a container creation request to more than 1MB, causing it to be dropped before reaching the plugin.

“The plugin allows the request because it sees nothing to block,” Tokarev said in a report shared with The Hacker News. “The Docker daemon processes the full request and creates a privileged container with root access to the host: your AWS credentials, SSH keys, Kubernetes configs, and everything else on the machine. This works against every AuthZ plugin in the ecosystem.”

What’s more, an artificial intelligence (AI) coding agent like OpenClaw running inside a Docker-based sandbox can be tricked into executing a prompt injection concealed within a specifically crafted GitHub repository as part of a regular developer workflow, resulting in the execution of malicious code that exploits CVE-2026-34040 to bypass authorization using the above approach and create a privileged container and mount the host file system.

With this level of access in place, the attacker can extract credentials for cloud services, and abuse them to take control of cloud accounts, Kubernetes clusters, and even SSH into production servers.

It doesn’t end there. Cyera also cautioned that AI agents can figure out the bypass on their own and trigger it by constructing a padded HTTP request upon encountering errors when attempting to access files like kubeconfig as part of a legitimate debugging task issued by a developer (e.g., debug the K8s out-of-memory issue). This approach eliminates the need for planting a poisoned repository containing the malicious instructions.

“AuthZ plugin denied the mount request,” Cyera explained. “The agent has access to the Docker API and knows how HTTP works. CVE-2026-34040 doesn’t require any exploit code, privilege, or special tools. It’s a single HTTP request with extra padding. Any agent that can read Docker API documentation can construct it.”

As temporary workarounds, it’s recommended to avoid using AuthZ plugins that rely on request body inspection for security decisions, limit access to the Docker API to trusted parties by following the principle of least privilege, or run Docker in rootless mode.

“In rootless mode, even a privileged container’s ‘root’ maps to an unprivileged host UID,” Tokarev said. “The blast radius drops from ‘full host compromise’ to ‘compromised unprivileged user.’ For environments that can’t go fully rootless, –userns-remap provides similar UID mapping.”