Docker Engine authorization bypass lets attackers escape containers and access host credentials (CVE-2026-34040)

A high-severity Docker Engine flaw allows attackers to bypass authorization plugins with a single oversized HTTP request. CVE-2026-34040 (CVSS 8.8) stems from an incomplete fix for CVE-2024-41110 from July 2024 - the original patch missed requests over 1MB, which get forwarded to the Docker daemon without their body, so the AuthZ plugin sees nothing to block while the daemon processes the full malicious payload. The result: a privileged container with root access to the host filesystem, exposing AWS credentials, SSH keys, Kubernetes configs, and everything else on the machine. Critically, Cyera researchers demonstrated that AI coding agents running inside Docker sandboxes can be tricked via prompt injection into crafting the bypass request themselves - no human attacker needed.

Check

Check if you use Docker with authorization plugins (OPA, Prisma Cloud, or custom AuthZ policies). If you don't use AuthZ plugins, you're not affected by this specific flaw.

Affected

Docker Engine versions prior to 29.3.1 when running with AuthZ plugins enabled. The underlying flaw has existed since Docker Engine 1.10. Environments running AI agents or developer tools inside Docker containers are at elevated risk.

Fix

Update Docker Engine to version 29.3.1. If you can't patch immediately: avoid AuthZ plugins that rely on request body inspection, restrict Docker API access to trusted parties only, or run Docker in rootless mode so that even a privileged container maps to an unprivileged host UID. For AI agent sandboxes, apply the --userns-remap setting to limit blast radius.