my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Docker's Authorization Bypass Is Back. It's Been Broken for a Decade.

John Z Black Apr 8, 2026 Vulnerabilities & Patching #docker #container-security #authz-bypass #cve-2026-34040 #ai-agents #sandbox-escape

You can bypass every AuthZ plugin in Docker with one HTTP request. Pad the container creation request past 1MB. The authorization system silently drops the body. The plugin gets an empty request, says “sure, go ahead,” and Docker processes the full thing. You get a privileged container with host root access.

CVE-2026-34040. CVSS 8.8. This bug has been in Docker Engine since version 1.10, released in February 2016. Ten years.

It’s not even the first time someone found it. CVE-2024-41110 caught zero-length request bodies in 2024. That fix missed oversized bodies entirely. So the root cause just sat there. It works against OPA, Prisma Cloud, Casbin, every custom AuthZ plugin anyone has ever written. The vulnerability isn’t in the plugins. It’s in how Docker feeds requests to them.

Docker has 92% adoption among IT professionals. Twenty billion container image pulls per month. If you’re running anything before version 29.3.1, your AuthZ plugins are decoration.

Here’s the part that should really bother you. Researchers demonstrated that an AI coding agent with restricted Docker API access could be tricked into exploiting this through prompt injection. The agent clones a repo containing hidden instructions. Those instructions tell it to create a privileged container with a padded request. AuthZ sees nothing. The agent escapes its sandbox and now has the host filesystem, AWS credentials, SSH keys, Kubernetes configs.

Enterprises are handing Docker API access to AI agents for CI/CD, dev environments, and automated testing. Those agents follow instructions. If the instructions come from a poisoned repository instead of a human, the agent doesn’t know the difference.

Update to Docker Engine 29.3.1. Today. And stop treating AuthZ plugins as a security boundary by themselves. If your entire container security posture depends on a single authorization check that can be bypassed with a fat HTTP request, you never really had security. You had a checkbox.

See the full exploit mechanics, AI agent escape demo, and layered defense recommendations