This issue has been assessed as critical severity. Review affected configurations immediately.
CVE-2026-34040 is a critical vulnerability in the Docker daemon that permits creation of a privileged container with root-level access to the underlying host. In cloud environments — where the host carries AWS instance metadata service credentials, Kubernetes node service account tokens, SSH keys, and secrets mounted from cloud secret managers — a successful exploit means full credential theft from a single container breakout. The vulnerability was patched in April 2026; exploitation in the wild has been confirmed.
What the Vulnerability Does
The flaw exists in Docker’s authorization logic for container creation requests. Under certain conditions, an API call to create a container can bypass the intended privilege boundary and result in a container with --privileged semantics even when the request did not specify privileged mode. A container running with --privileged has read-write access to host device files, can mount host filesystems, and can modify host kernel parameters — equivalent to root on the host.
The practical exploit path in a cloud environment:
- Attacker gains code execution inside an existing container (via application vulnerability, supply chain compromise, or insecure default)
- Attacker triggers the Docker API vulnerability to create a new privileged container
- From the privileged container, attacker mounts the host filesystem:
mount /dev/xvda1 /mnt - From
/mnt, reads~/.aws/credentials, Kubernetes service account tokens at/var/run/secrets/kubernetes.io/serviceaccount/, SSH private keys, and.envfiles - Optionally: reads EC2 IMDS from the host network namespace to obtain instance IAM role credentials without querying the metadata service from inside the original container
Assessing Exposure
Check your Docker version:
docker version --format '{{.Server.Version}}'
Vulnerable versions: Docker Engine before 26.1.5 and Docker Desktop before 4.31.0. If running an older version, treat the host as potentially compromised if it has had any external container execution.
Check for privileged container creation events in your environment:
For AWS CloudTrail (if Docker runs on EC2 via ECS or self-managed):
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=CreateContainer \
--start-time 2026-04-01 \
--query 'Events[?contains(CloudTrailEvent, `"Privileged":true`)]'
For Docker daemon audit logs:
grep -E '"Privileged"\s*:\s*true' /var/log/docker/audit.log
Kubernetes node exposure check:
# From inside a suspect container — shows if host filesystem is accessible
ls /proc/1/root/etc/kubernetes/
# If accessible, the container has host mount access
Remediation
Immediate action — patch Docker:
# Ubuntu/Debian
sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli containerd.io
# Amazon Linux 2 / RHEL
sudo yum update docker
# Verify patched version
docker version
Enforce explicit deny on privileged container creation via admission controllers:
For Kubernetes clusters, add a policy that rejects privileged pod specs:
# OPA/Gatekeeper ConstraintTemplate
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: noprivilegedcontainers
spec:
crd:
spec:
names:
kind: NoPrivilegedContainers
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package noprivilegedcontainers
violation[{"msg": msg}] {
c := input.review.object.spec.containers[_]
c.securityContext.privileged == true
msg := sprintf("Container %v is privileged - denied by policy", [c.name])
}
Restrict Docker socket access:
The Docker socket (/var/run/docker.sock) is frequently mounted into CI/CD containers for pipeline builds. Any container with socket access can exploit CVE-2026-34040 against the host daemon. Audit socket mounts:
# Find all running containers with Docker socket mounted
docker ps -q | xargs -I{} docker inspect {} \
--format '{{.Name}}: {{range .Mounts}}{{if eq .Source "/var/run/docker.sock"}}SOCKET MOUNTED{{end}}{{end}}'
Remove Docker socket mounts from containers that don’t require them. For CI/CD, use rootless Docker or Kaniko/Buildah as alternatives that don’t require daemon socket access.
Enable seccomp and AppArmor profiles:
# Run containers with default seccomp profile applied (should be default, but verify)
docker run --security-opt seccomp=/etc/docker/seccomp-profile.json <image>
# Check daemon configuration
cat /etc/docker/daemon.json | grep -i seccomp
The AI Agent Exploitation Angle
Researchers demonstrated that AI coding agents — specifically agents with access to shell execution tools — can be manipulated via prompt injection into exploiting CVE-2026-34040. The attack scenario: an attacker embeds malicious instructions in a code file, README, or inline comment that the AI agent reads during a task. The injected prompt instructs the agent to call the Docker API in a way that triggers the privilege bypass.
This matters because AI coding agents in CI/CD pipelines commonly have:
- Access to the Docker daemon socket for build tasks
- Permissions to create and run containers
- No human review of the specific API calls they make
Mitigation specific to agentic environments: apply the principle of least privilege to agent container creation permissions. If the agent needs to build images, grant image build permissions but restrict container creation with elevated security options. Implement tool-level guardrails that review container creation parameters before API invocation.
Cloud Credential Exposure After Compromise
If you believe a host may have been compromised via this vulnerability, rotate credentials in this order:
# 1. Rotate any IAM instance role credentials by stopping and restarting the instance
# (forces new STS credentials from IMDS)
aws ec2 stop-instances --instance-ids <id>
aws ec2 start-instances --instance-ids <id>
# 2. Audit CloudTrail for API calls using the compromised instance role
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::IAM::Role \
--start-time <compromise-window-start>
# 3. Rotate any static credentials found in files on the host
aws iam list-access-keys --user-name <user>
aws iam delete-access-key --access-key-id <key-id>
aws iam create-access-key --user-name <user>
CVE-2026-34040 is the most impactful Docker vulnerability since runc CVE-2019-5736. Patch immediately, audit Docker socket exposure, and review your AI agent tool permissions if running agentic CI/CD pipelines.