Github.Com Moby Moby V2 vulnerabilities
5 known vulnerabilities affecting github.com/moby_moby_v2.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-34040P3CRITICALCVSS 9.9≥ 0, < 2.0.0-beta.82026-03-27
CVE-2026-34040 [CRITICAL] CWE-288 Moby has AuthZ plugin bypass when provided oversized request bodies
Moby has AuthZ plugin bypass when provided oversized request bodies
## Summary
A security vulnerability has been detected that allows attackers to bypass [authorization plugins (AuthZ)](https://docs.docker.com/engine/extend/plugins_authorization/) under specific circumstances. The base likelihood of this being exploited is low.
This is an incomplete fix for [CVE-2024-41110](https://github.com
ghsaosv
CVE-2026-33997P3MEDIUM≥ 0, < 2.0.0-beta.82026-03-27
CVE-2026-33997 [MEDIUM] CWE-193 Moby has an Off-by-one error in its plugin privilege validation
Moby has an Off-by-one error in its plugin privilege validation
## Summary
A security vulnerability has been detected that allows [plugins](https://docs.docker.com/engine/extend/legacy_plugins/) privilege validation to be bypassed during `docker plugin install`. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one app
ghsaosv
CVE-2026-41567P3HIGH≥ 0, < 2.0.0-beta.142026-05-18
CVE-2026-41567 [HIGH] CWE-427 Docker: `PUT /containers/{id}/archive` executes container binary on the host
Docker: `PUT /containers/{id}/archive` executes container binary on the host
## Summary
When a user uploads a compressed archive into a container, a malicious image can execute arbitrary code with daemon (host root) privileges.
## Details
When handling `PUT /containers/{id}/archive` requests with compressed archives, the daemon decompresses them using external system binaries. Due to in
ghsa
CVE-2026-42306P3HIGH≥ 0, < 2.0.0-beta.142026-05-18
CVE-2026-42306 [HIGH] CWE-367 Docker: Race condition in docker cp allows bind mount redirection to host path
Docker: Race condition in docker cp allows bind mount redirection to host path
## Summary
A race condition during `docker cp` mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service.
## Details
When copying files into a container, the daemon sets up a temporary filesystem view b
ghsa
CVE-2026-41568P4MEDIUM≥ 0, < 2.0.0-beta.142026-05-18
CVE-2026-41568 [MEDIUM] CWE-367 Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
## Summary
A race condition during `docker cp` mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem.
This advisory covers the race during mountpoint creation. The related race d
ghsa