CVE-2026-34040

Moby: AuthZ plugin bypass with oversized request body

CVSS 8.8 HIGHEPSS 8.1%CWE-288

In short

Moby container framework had a flaw that let attackers bypass security authorization checks by sending specially crafted requests with oversized bodies. This could allow unauthorized access to container operations that should have been blocked.

Technical detail

A vulnerability in Moby prior to v29.3.1 permits AuthZ plugin bypass via oversized request body manipulation (CWE-288: Improper Authentication). The attack requires no privileges and directly circumvents authorization controls, enabling unauthorized container operations with high integrity and confidentiality impact.

Summary generated and translated by AI from the official description.

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

moby · moby

public PoCs found — 1

githubgithub.com/m0nk3ygod/CVE-2026-34040-PoC★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/moby/moby/releases/tag/docker-v29.3.1 https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2