Overview.

---

CVE-2026-34040 is an authorization validation bypass vulnerability in Docker Engine’s handling of the AuthZ plugin. affected is Docker Engine version 29.3.1 and earlier.

Vulnerability details.

---

the vulnerability allows an attacker to bypass the AuthZ plugin’s authorization validation logic by crafting an oversized request body. a threat actor could potentially use this vulnerability to perform sensitive operations such as container creation and image manipulation without authorization verification.

Impact and Risk.

---

in an affected environment, authentication and authorization controls could be bypassed, resulting in a serious impact to system integrity and availability. this is especially concerning in environments where administrative tasks can be executed externally.

Recommended Countermeasures.

---

a fix for the vulnerability is included in Docker Engine version 29.3.1. affected systems should update Docker Engine to 29.3.1 or later. before and after applying the patch, logs and access control settings should be reviewed for anomalies.

References.

---

AuthZ plugin bypass with oversized request body: https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2.