CVE-2026-33997

6.8 MEDIUM

Moby is an open source container framework

Published: 2026-03-31 · Last updated: 2026-06-16

Severity and scoring

CVSS: 6.8 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-193

Affected products

Vendor	Product
docker	engine

Description

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-33997
[Other]https://github.com/moby/moby/releases/tag/docker-v29.3.1
[Vendor advisory]https://github.com/moby/moby/security/advisories/GHSA-pxq6-2prw-chj9

Related CVEs

Same vendor

CVE-2026-42306 — Moby is an open source container framework (7.2 HIGH)
CVE-2026-41568 — Moby is an open source container framework (6.1 MEDIUM)
CVE-2026-5843 — The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary P... (8.2 HIGH)
CVE-2026-5817 — The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizer... (8.2 HIGH)
CVE-2026-6406 — The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop (8.8 HIGH)

Same CWE

CVE-2026-8357 — LibreOffice Calc compiles cell formulas when opening a spreadsheet
CVE-2026-54410 — nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows ... (8.6 HIGH)
CVE-2026-46559 — ImageMagick is free and open-source software used for editing and manipulating digital images (4.0 MEDIUM)
CVE-2026-45380 — bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files (3.6 LOW)
CVE-2026-45358 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.3 MEDIUM)