CVE-2026-33997
Published: 31 March 2026
Summary
CVE-2026-33997 is a medium-severity Off-by-one Error (CWE-193) vulnerability in Mobyproject Moby. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation of the privilege comparison logic flaw through patching to version 29.3.1 or later.
Addresses the exploitation vector by restricting and scanning user-installed plugins for malicious code before installation, preventing tricked administrators from deploying harmful plugins.
Limits the impact of privilege bypass by enforcing least privilege on plugins and system processes, reducing confidentiality and integrity violations even if validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability bypasses privilege validation logic in Docker plugin installation, directly enabling exploitation for privilege escalation (T1068) by allowing a malicious plugin to obtain unauthorized elevated privileges beyond user approval, leading to high confidentiality and integrity impacts.
NVD Description
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the…
more
daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.
Deeper analysisAI
CVE-2026-33997 is a vulnerability in Moby, an open source container framework, affecting versions prior to 29.3.1. The issue resides in the daemon's privilege comparison logic during Docker plugin installation, allowing privilege validation to be bypassed. Specifically, the daemon may incorrectly accept a privilege set that differs from the one approved by the user, and plugins requesting exactly one privilege undergo no comparison at all. This flaw is classified under CWE-193 with a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).
An attacker can exploit this vulnerability over the network without privileges, though it requires high attack complexity and user interaction, such as tricking an administrator into installing a malicious plugin. Successful exploitation enables high-impact confidentiality and integrity violations, potentially allowing the attacker to access sensitive data or modify system configurations through escalated plugin privileges beyond those explicitly approved.
The vulnerability has been patched in Moby version 29.3.1, as detailed in the official release notes and security advisory. Security practitioners should update to this version or later to mitigate the risk, with further technical details available in the GitHub advisory (GHSA-pxq6-2prw-chj9) and release tag (docker-v29.3.1).
Details
- CWE(s)