Description
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
Published: 2026-03-31
Score: 8.8 High
EPSS: 8.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Moby container framework allows an attacker to bypass authorization plugins by submitting an oversized request body. The weakness is classified under CWE‑288 and CWE‑807 and has a CVSS score of 8.8.

Affected Systems

All versions of Moby released before 29.3.1 are affected. The vulnerability was fixed in release 29.3.1 and later versions are not vulnerable.

Risk and Exploitability

The CVSS base score indicates significant risk, while the EPSS value of 8% suggests that public exploitation is currently plausible. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is inferred to involve direct network access to the Moby service, where an attacker would craft a request that exceeds the expected body size to trigger the authorization bypass.

Generated by OpenCVE AI on June 18, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Moby to version 29.3.1 or newer.
  • Configure firewalls or proxies to restrict inbound traffic to the Moby service to trusted IP ranges.
  • If an upgrade is not possible, enforce a maximum request body size at the service or proxy level to prevent oversized requests.

Generated by OpenCVE AI on June 18, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x744-4wpc-v9h2 Moby has AuthZ plugin bypass when provided oversized request bodies
History

Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Docker
Docker engine
CPEs cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:* cpe:2.3:a:docker:engine:*:*:*:*:*:*:*:*
Vendors & Products Mobyproject
Mobyproject moby
Docker
Docker engine

Mon, 06 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-807
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mobyproject
Mobyproject moby
CPEs cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*
Vendors & Products Mobyproject
Mobyproject moby

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Moby
Moby moby
Vendors & Products Moby
Moby moby

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
Title Moby: AuthZ plugin bypass with oversized request body
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T03:55:56.676Z

Reserved: 2026-03-25T15:29:04.744Z

Link: CVE-2026-34040

cve-icon Vulnrichment

Updated: 2026-03-31T15:34:59.017Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T03:15:57.883

Modified: 2026-06-17T10:38:28.383

Link: CVE-2026-34040

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-31T01:36:48Z

Links: CVE-2026-34040 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:30:05Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel

  • CWE-807

    Reliance on Untrusted Inputs in a Security Decision