FIND-20260402-002 · 2026-04-02 · Innovation Veille

CVE-2026-34040: Docker AuthZ plugin bypass via oversized request bodies — PATCHED in v29.3.1

cve HIGH
HIGH (CVSS 8.8) incomplete fix for CVE-2024-41110. Attackers can bypass Docker AuthZ plugins by sending oversized request bodies that cause the plugin to skip authorization checks under specific conditions. Affects Moby/Docker prior to 29.3.1. ODS runs Docker Engine 29.3.1 — the patch is already in place. The vulnerability was last modified 2026-03-31. This is a repeat pattern (second bypass of the same AuthZ plugin mechanism) indicating structural weakness in Docker's authorization plugin architecture.

Source

https://vulnerability.circl.lu/vuln/cve-2026-34040

ODS Impact

ODS infrastructure uses Docker on both srv-agents and srv-staging (Coolify PaaS). All containers, including oid, docstore, redpanda, and postgres, are managed by Docker. AuthZ plugins are not explicitly used in ODS config (Coolify manages access), reducing practical exploitability. Confirm Docker version is 29.3.1+ on both servers. Consider auditing Coolify's API access patterns as a compensating control.

Security Review

License: N/A (CVE) | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE

Tags

cve docker high authz container patched infrastructure
Generated by ODS Innovation Veille · 2026-04-02T00:13:51+00:00