CVE-2026-34040: Moby has AuthZ plugin bypass when provided oversized request bodies
(updated )
A security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.
This is an incomplete fix for CVE-2024-41110.
References
- docs.docker.com/engine/extend/plugins_authorization
- github.com/advisories/GHSA-x744-4wpc-v9h2
- github.com/moby/moby
- github.com/moby/moby/commit/e89edb19ad7de0407a5d31e3111cb01aa10b5a38
- github.com/moby/moby/releases/tag/docker-v29.3.1
- github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
- github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2
- nvd.nist.gov/vuln/detail/CVE-2026-34040
Code Behaviors & Features
Detect and mitigate CVE-2026-34040 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →