docker-fixes-authz-bypass-vulnerability-exposing-containers-with-unrestricted-access

Post Views: 6

Docker Fixes Privilege Escalation Flaw in AuthZ Middleware

Docker, Inc. has released a patch addressing a critical vulnerability in its AuthZ middleware, which allows an attacker to bypass authentication and authorization checks.

Vulnerability Overview

The vulnerability, identified as CVE-2026-34040, occurs when an attacker crafts an HTTP request with a body size greater than 1 megabyte.
This triggers a flaw in the Docker middleware, causing it to fail to pass the request body to the AuthZ plugin.
As a result, containers with unauthorized settings, including ‘Privileged’: true, can be created.

According to Cyera researchers, this issue is related to a previously known flaw, CVE-2024-41110, which was originally fixed in 2019 but not carried forward to later versions. The researchers argue that the patch did not address the root cause of the problem, leading to the regression issue.

Exploitation Demonstration

Cyera researchers demonstrated the vulnerability by crafting a malicious payload and injecting it into a Docker-based sandbox. This allowed the attacker to create a privileged container with access to the host filesystem and sensitive information.

“We’re not just talking about a privilege escalation,” the researchers said. “The attacker now has the actual data and secrets that the authorization policy existed to protect.”

Mitigation Recommendations

Docker has released an updated version of its engine, 29.3.1, which includes changes to increase the maximum body size to 4 MB and reject requests with bodies larger than 4 MB.
The company advises users to restrict Docker API access to trusted IP addresses and authenticated clients and to audit recent container creation.
Cyera emphasizes the importance of robust authorization practices and suggests avoiding relying solely on AuthZ as a defense mechanism.