Cloud Security Wire
AWS Azure GCP RSS
AWSAzureGCP CVE Analysis critical

Docker CVE-2026-34040: Privileged Container Escape and AI-Agent Exploitation in Cloud Environments

CVE-2026-34040 in the Docker daemon allows creation of a privileged container with root-level host access, exposing AWS credentials, SSH keys, and Kubernetes configs stored on the host. AI coding agents have been demonstrated as a novel exploitation vector via prompt injection. Here's how to assess exposure and remediate.

By Cloud Security Wire · ·
#Docker#CVE-2026-34040#container escape#privilege escalation#cloud credentials#Kubernetes#AI agents#prompt injection#CI/CD#remediation
Critical Severity

This issue has been assessed as critical severity. Review affected configurations immediately.

CVE-2026-34040 is a critical vulnerability in the Docker daemon that permits creation of a privileged container with root-level access to the underlying host. In cloud environments — where the host carries AWS instance metadata service credentials, Kubernetes node service account tokens, SSH keys, and secrets mounted from cloud secret managers — a successful exploit means full credential theft from a single container breakout. The vulnerability was patched in April 2026; exploitation in the wild has been confirmed.

What the Vulnerability Does

The flaw exists in Docker’s authorization logic for container creation requests. Under certain conditions, an API call to create a container can bypass the intended privilege boundary and result in a container with --privileged semantics even when the request did not specify privileged mode. A container running with --privileged has read-write access to host device files, can mount host filesystems, and can modify host kernel parameters — equivalent to root on the host.

The practical exploit path in a cloud environment:

  1. Attacker gains code execution inside an existing container (via application vulnerability, supply chain compromise, or insecure default)
  2. Attacker triggers the Docker API vulnerability to create a new privileged container
  3. From the privileged container, attacker mounts the host filesystem: mount /dev/xvda1 /mnt
  4. From /mnt, reads ~/.aws/credentials, Kubernetes service account tokens at /var/run/secrets/kubernetes.io/serviceaccount/, SSH private keys, and .env files
  5. Optionally: reads EC2 IMDS from the host network namespace to obtain instance IAM role credentials without querying the metadata service from inside the original container

Assessing Exposure

Check your Docker version:

docker version --format '{{.Server.Version}}'

Vulnerable versions: Docker Engine before 26.1.5 and Docker Desktop before 4.31.0. If running an older version, treat the host as potentially compromised if it has had any external container execution.

Check for privileged container creation events in your environment:

For AWS CloudTrail (if Docker runs on EC2 via ECS or self-managed):

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=CreateContainer \
  --start-time 2026-04-01 \
  --query 'Events[?contains(CloudTrailEvent, `"Privileged":true`)]'

For Docker daemon audit logs:

grep -E '"Privileged"\s*:\s*true' /var/log/docker/audit.log

Kubernetes node exposure check:

# From inside a suspect container — shows if host filesystem is accessible
ls /proc/1/root/etc/kubernetes/
# If accessible, the container has host mount access

Remediation

Immediate action — patch Docker:

# Ubuntu/Debian
sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli containerd.io

# Amazon Linux 2 / RHEL
sudo yum update docker

# Verify patched version
docker version

Enforce explicit deny on privileged container creation via admission controllers:

For Kubernetes clusters, add a policy that rejects privileged pod specs:

# OPA/Gatekeeper ConstraintTemplate
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: noprivilegedcontainers
spec:
  crd:
    spec:
      names:
        kind: NoPrivilegedContainers
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package noprivilegedcontainers
        violation[{"msg": msg}] {
          c := input.review.object.spec.containers[_]
          c.securityContext.privileged == true
          msg := sprintf("Container %v is privileged - denied by policy", [c.name])
        }

Restrict Docker socket access:

The Docker socket (/var/run/docker.sock) is frequently mounted into CI/CD containers for pipeline builds. Any container with socket access can exploit CVE-2026-34040 against the host daemon. Audit socket mounts:

# Find all running containers with Docker socket mounted
docker ps -q | xargs -I{} docker inspect {} \
  --format '{{.Name}}: {{range .Mounts}}{{if eq .Source "/var/run/docker.sock"}}SOCKET MOUNTED{{end}}{{end}}'

Remove Docker socket mounts from containers that don’t require them. For CI/CD, use rootless Docker or Kaniko/Buildah as alternatives that don’t require daemon socket access.

Enable seccomp and AppArmor profiles:

# Run containers with default seccomp profile applied (should be default, but verify)
docker run --security-opt seccomp=/etc/docker/seccomp-profile.json <image>

# Check daemon configuration
cat /etc/docker/daemon.json | grep -i seccomp

The AI Agent Exploitation Angle

Researchers demonstrated that AI coding agents — specifically agents with access to shell execution tools — can be manipulated via prompt injection into exploiting CVE-2026-34040. The attack scenario: an attacker embeds malicious instructions in a code file, README, or inline comment that the AI agent reads during a task. The injected prompt instructs the agent to call the Docker API in a way that triggers the privilege bypass.

This matters because AI coding agents in CI/CD pipelines commonly have:

  • Access to the Docker daemon socket for build tasks
  • Permissions to create and run containers
  • No human review of the specific API calls they make

Mitigation specific to agentic environments: apply the principle of least privilege to agent container creation permissions. If the agent needs to build images, grant image build permissions but restrict container creation with elevated security options. Implement tool-level guardrails that review container creation parameters before API invocation.

Cloud Credential Exposure After Compromise

If you believe a host may have been compromised via this vulnerability, rotate credentials in this order:

# 1. Rotate any IAM instance role credentials by stopping and restarting the instance
# (forces new STS credentials from IMDS)
aws ec2 stop-instances --instance-ids <id>
aws ec2 start-instances --instance-ids <id>

# 2. Audit CloudTrail for API calls using the compromised instance role
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::IAM::Role \
  --start-time <compromise-window-start>

# 3. Rotate any static credentials found in files on the host
aws iam list-access-keys --user-name <user>
aws iam delete-access-key --access-key-id <key-id>
aws iam create-access-key --user-name <user>

CVE-2026-34040 is the most impactful Docker vulnerability since runc CVE-2019-5736. Patch immediately, audit Docker socket exposure, and review your AI agent tool permissions if running agentic CI/CD pipelines.

← All Analysis Subscribe via RSS