2453277 – (CVE-2026-33997) CVE-2026-33997 moby: docker: github.com/moby/moby: Moby: Privilege validation bypass during plugin installation

Bug 2453277 (CVE-2026-33997) - CVE-2026-33997 moby: docker: github.com/moby/moby: Moby: Privilege validation bypass during plugin installation

Summary: CVE-2026-33997 moby: docker: github.com/moby/moby: Moby: Privilege validation...

Keywords:
Status:	NEW
Alias:	CVE-2026-33997
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2453632 2453633 2453634
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-31 03:01 UTC by OSIDB Bzimport
Modified:	2026-03-31 23:31 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-31 03:01:55 UTC

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.

Note You need to log in before you can comment on or make changes to this bug.