CVE-2026-33997

EUVD-2026-17290

31.03.2026, 03:15

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.8 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 23%

Affected Products (NVD)

Vendor	Product	Version
docker	engine	𝑥 < 29.3.1

𝑥

= Vulnerable software versions

Amazon Linux Releases

Amazon Package

Release

docker

Amazon Linux 2023

0:25.0.14-1.amzn2023.0.5

fixed

docker-debuginfo

Amazon Linux 2023

0:25.0.14-1.amzn2023.0.5

fixed

docker-debugsource

Amazon Linux 2023

0:25.0.14-1.amzn2023.0.5

fixed

Common Weakness Enumeration

CWE-193 - Off-by-one Error
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

References

https://github.com/moby/moby/releases/tag/docker-v29.3.1

https://github.com/moby/moby/security/advisories/GHSA-pxq6-2prw-chj9