GHSA-x744-4wpc-v9h2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x744-4wpc-v9h2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-x744-4wpc-v9h2/GHSA-x744-4wpc-v9h2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x744-4wpc-v9h2
- Aliases
- Downstream
- Related
- Published
- 2026-03-27T17:43:16Z
- Modified
- 2026-04-02T21:26:02.143853785Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Moby has AuthZ plugin bypass when provided oversized request bodies
- Details
-
Summary
A security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.
This is an incomplete fix for CVE-2024-41110.
Impact
If you don't use AuthZ plugins, you are not affected.
Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body. The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted.
Workarounds
If unable to update immediately: - Avoid using AuthZ plugins that rely on request body inspection for security decisions. - Restrict access to the Docker API to trusted parties, following the principle of least privilege.
Credits
- 1seal / Oleh Konko (@1seal)
- Cody (c@wormhole.guru)
- Asim Viladi Oglu Manizada (@manizada)
Resources
- Database specific
{ "cwe_ids": [ "CWE-288", "CWE-863" ], "github_reviewed": true, "severity": "HIGH", "github_reviewed_at": "2026-03-27T17:43:16Z", "nvd_published_at": "2026-03-31T03:15:57Z" }- References
-
- https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
- https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2
- https://nvd.nist.gov/vuln/detail/CVE-2026-34040
- https://github.com/moby/moby/commit/e89edb19ad7de0407a5d31e3111cb01aa10b5a38
- https://docs.docker.com/engine/extend/plugins_authorization
- https://github.com/moby/moby
- https://github.com/moby/moby/releases/tag/docker-v29.3.1
Affected packages
Go / github.com/moby/moby
Package
- Name
- github.com/moby/moby
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/moby/moby
Go / github.com/docker/docker
Package
- Name
- github.com/docker/docker
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/docker/docker
Go / github.com/moby/moby/v2
Package
- Name
- github.com/moby/moby/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/moby/moby/v2