Cyera Research Discovers Docker Authorization Bypass That Silently Disables Security Policies, Enabling Full Host Takeover

‍CYERA RESEARCH · Executive Brief · April 2026 · CVE-2026-34040

ACTION REQUIRED

Patch immediately: Docker Engine 29.3.1 and Docker Desktop 4.66.1 are available now. If you cannot patch immediately, see mitigation steps on page 2.

CYERA RESEARCH · VULNERABILITY DISCLOSURE

A single oversized HTTP request disables every Docker authorization plugin in the ecosystem, granting root-level access to host systems. The flaw affects 92% of enterprise container deployments worldwide and may be discoverable by AI agents autonomously.

• Severity: 8.8 CVSS score - High severity
• Deployment: 92% of enterprise container deployments run Docker
• History: This class of bug has been hidden for 5 years
• Trigger: A 1 MB request size silences all security plugins
• Detection: 0 AuthZ plugins are able to detect or block it

Key findings at a glance

• Authorization bypass in Docker Engine: CVE-2026-34040, CVSS 8.8 High. Docker is the world's most widely used container runtime, with 92% adoption among IT professionals and over 20 billion container image pulls per month.
• Request bodies larger than 1 MB are silently dropped: These are dropped before reaching AuthZ plugins, but the Docker daemon still processes them normally. A single padded HTTP request is enough to create a privileged container with full host filesystem access.
• Incomplete fix for a perfect-10.0 vulnerability: The prior bug (CVE-2024-41110, CVSS 10.0) was a zero-length body bypass patched in July 2024. This is the same vulnerability class with a different size boundary. That original regression lived undetected for five years.
• Root cause: CWE-863 (Incorrect Authorization) - a bug class the OWASP Top 10 has listed since 2003. Not a novel zero-day, but a foundational vulnerability class appearing in critical modern infrastructure.
• Exploitability: High and simple. A single HTTP request with no race conditions or timing dependencies works over TCP/TLS across enterprise deployments, CI/CD systems, and management platforms. It bypasses OPA, Prisma Cloud, Casbin, and any custom AuthZ plugin equally.
• Patch availability: Docker Engine 29.3.1 is available—update immediately.

Everyone is talking about breaking out of containers. That's not what happened here.

Container escapes like NVIDIAScape (CVE-2025-23266) or SCARLETEEL demonstrate breaking out of a running container. The vulnerability Cyera Research found is different; the escape starts before the container is even created. The security check responsible for preventing dangerous containers never sees the request that creates them.

The finding: a bouncer who goes home when the line gets long

When an API request body exceeds 1 MB, Docker's middleware silently drops the body before your authorization plugin sees it. The plugin, seeing nothing to inspect, approves the request. The Docker daemon then processes the full body and creates the requested container, potentially granting full host filesystem access.

HOW THE BYPASS WORKS

1. Attacker sends padded request >1 MB: A normal request plus a dummy padding field.
2. Middleware silently drops the body: The size check fails and the plugin receives null.
3. AuthZ plugin sees nothing and allows: OPA, Prisma, and Casbin are all equally blind.
4. Daemon creates privileged container: AWS keys, SSH keys, and kubeconfig are exposed.

The new dimension: AI agents that find the gap themselves

AI coding agents may discover and exploit this autonomously while trying to complete legitimate tasks. For example, an agent tasked with debugging a Kubernetes cluster might research a blocked host mount, find CVE-2024-41110 in its training data, notice the size boundary, and construct a padded request to bypass the restriction.

What to do now

• 01: Verify your Docker Engine version: Run docker version --format '{{.Server.Version}}'. Any version below 29.3.1 is vulnerable.
• 02: Check whether you use AuthZ plugins: Run docker info --format '{{.Plugins.Authorization}}'. If plugin names are returned, your deployment is at risk.
• 03: Check for evidence of exploitation: Search daemon logs using journalctl -u docker | grep "Request body is larger than".
• 04: Audit AI agent Docker API access: Review which automated systems have Docker API access and whether that scope is necessary.
• 05: Add a reverse proxy size limit if patching is delayed: A 512 KB body limit at your API gateway can block bypass attempts.
• 06: Know what is on your Docker hosts: Identify hosts with access to production credentials or regulated data; these are your highest-priority patch targets.

How Cyera closes the gap that patching alone cannot

Cyera continuously maps and classifies sensitive data across your infrastructure. During an incident, Cyera's data map tells you immediately if a compromised host held sensitive data like production credentials or customer PII, helping determine notification obligations and response priority.

A pattern Cyera Research keeps finding across the AI infrastructure stack

• Target: LangChain (Research: LangDrained) - Vulnerability: Path traversal, deserialization injection, SQL injection.
• Target: Unstructured.io (Research: DESTRUCTURED) - Vulnerability: Arbitrary file write.
• Target: n8n (Research: N8Scape / Ni8mare) - Vulnerability: Sandbox escape, content-type confusion.
• Target: Grist (Research: Cellbreak) - Vulnerability: Pyodide sandbox escape.
• Target: Docker Engine (Research: CVE-2026-34040 ★ NEW) - Vulnerability: Authorization bypass (CWE-863).

Responsible disclosure timeline

• Jan 2019: Original AuthZ bypass fixed in Docker v18.09.1.
• 2019 – 2024: Fix not carried forward; regression lives in the codebase for five years.
• Jul 2024: CVE-2024-41110 published; zero-length body bypass patched in Docker v27.1.1.
• Mar 24, 2026: Cyera Research reports CVE-2026-34040.
• Mar 25, 2026: Docker Engine 29.3.1 released with a fail-closed fix.
• Mar 26 – 27, 2026: Docker Desktop 4.66.1 ships and CVE-2026-34040 is published on NVD.