Critical Docker Engine Flaw Allows Authorization Bypass and Host Takeover

A high-severity Docker Engine vulnerability (CVE-2026-34040, CVSS 8.8) stems from an incomplete fix for a prior maximum-severity flaw. When API requests exceed 1 MB, Docker's middleware silently truncates the request body before forwarding to authorization plugins, while the daemon processes the full unmodified request, creating a gap between what is evaluated for security and what executes. Attackers with API access can exploit this to bypass authorization controls and gain host-level access. Docker released a fix in version 29.3.1.