{"id":"CVE-2026-34040","summary":"Moby: AuthZ plugin bypass with oversized request body","details":"Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.","aliases":["GHSA-x744-4wpc-v9h2","GO-2026-4887"],"modified":"2026-04-10T05:42:59.236674Z","published":"2026-03-31T01:36:48.205Z","related":["CGA-mjrp-qhw3-p2p3","SUSE-SU-2026:1205-1"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34040.json","cwe_ids":["CWE-288"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34040.json"},{"type":"WEB","url":"https://github.com/moby/moby/releases/tag/docker-v29.3.1"},{"type":"ADVISORY","url":"https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34040"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/moby/moby","events":[{"introduced":"0"},{"fixed":"f78c987ad3710cacffe47fce696975ecb337148d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"29.3.1"}]}}],"versions":["0.0.3","api/v1.52.0","api/v1.52.0-alpha.0","api/v1.52.0-alpha.1","api/v1.52.0-beta.0","api/v1.52.0-beta.1","api/v1.52.0-beta.2","api/v1.52.0-beta.3","api/v1.52.0-beta.4","api/v1.52.0-rc.1","client/v0.1.0","client/v0.1.0-alpha.0","client/v0.1.0-beta.0","client/v0.1.0-beta.1","client/v0.1.0-beta.2","client/v0.1.0-beta.3","client/v0.1.0-rc.1","docker-v29.0.0","docker-v29.0.0-rc.1","docker-v29.0.0-rc.2","docker-v29.0.0-rc.3","docker-v29.0.1","docker-v29.0.2","docker-v29.0.3","docker-v29.0.4","docker-v29.1.3","docker-v29.1.4","docker-v29.1.5","docs-v1.12.0-rc4-2016-07-15","upstream/0.1.2","upstream/0.1.3","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.2.0","v0.2.1","v0.2.2","v0.3.0","v0.3.1","v0.3.2","v0.4.1","v0.4.2","v0.4.4","v0.4.5","v0.4.7","v0.5.0","v0.6.5","v0.7.0","v0.7.1","v0.7.2","v18.06.0-ce-rc1","v18.09.0-ce-tp0","v19.03.0-beta1","v19.03.0-beta2","v19.03.0-beta3","v2.0.0-beta.0","v2.0.0-beta.1","v2.0.0-beta.2","v2.0.0-beta.3","v20.10.0","v20.10.0-beta1","v20.10.0-rc1","v20.10.0-rc2","v20.10.1","v20.10.2","v22.06.0-beta.0","v24.0.0-beta.1","v24.0.0-beta.2","v24.0.0-rc.1","v24.0.0-rc.2","v25.0.0","v25.0.0-beta.1","v25.0.0-beta.2","v25.0.0-beta.3","v25.0.0-rc.1","v25.0.0-rc.2","v25.0.0-rc.3","v26.0.0","v26.0.0-rc1","v26.0.0-rc2","v26.0.0-rc3","v26.1.0","v27.0.0-rc.1","v27.0.0-rc.2","v27.0.1","v27.0.1-rc.1","v28.0.0","v28.0.0-rc.1","v28.0.0-rc.2","v28.0.0-rc.3","v28.0.1","v28.0.2","v28.0.3","v28.0.4","v28.1.0","v28.1.0-rc.1","v28.1.0-rc.2","v28.1.1","v28.2.0","v28.2.0-rc.1","v28.2.0-rc.2","v28.2.1","v28.2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34040.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}