{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-31T01:36:48Z",
  "bugzilla" : {
    "description" : "Moby: Moby: Authorization bypass vulnerability",
    "id" : "2453278",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2453278"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-807",
  "details" : [ "Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.", "A flaw was found in Moby, an open-source container framework. This security vulnerability allows attackers to bypass authorization plugins (AuthZ), which are mechanisms designed to control access and permissions within the container environment. The bypass of these plugins can lead to unauthorized operations and potential compromise of the system's integrity and confidentiality." ],
  "package_state" : [ {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Affected",
    "package_name" : "multicluster-engine/assisted-service-8-rhel8",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Affected",
    "package_name" : "multicluster-engine/assisted-service-9-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Global Hub",
    "fix_state" : "Affected",
    "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-rhel8-operator",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/acm-grafana-rhel9",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 5",
    "fix_state" : "Affected",
    "package_name" : "rhceph-ci/grafana",
    "cpe" : "cpe:/a:redhat:ceph_storage:5"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift3/ose-console",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-agent-installer-api-server-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-agent-installer-api-server-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-console",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "openshift-virtualization/hostpath-csi-driver-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "openshift-virtualization/hostpath-provisioner-operator-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "openshift-virtualization/hostpath-provisioner-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "openshift-virtualization/hyperconverged-cluster-operator-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "openshift-virtualization/hyperconverged-cluster-webhook-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-34040\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34040\nhttps://github.com/moby/moby/releases/tag/docker-v29.3.1\nhttps://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2" ],
  "name" : "CVE-2026-34040",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}