CVE-2026-33997

Name of the Vulnerable Software and Affected Versions Docker (affected versions not specified)

Description A flaw exists in the Docker daemon’s privilege validation process during docker plugin install. The daemon does not fully enforce plugin privilege checks, potentially allowing unintended privilege escalation. This occurs because the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins requesting exactly one privilege are also affected, as no comparison is performed. Exploitation requires installing a plugin from a malicious source. The API endpoint involved is docker plugin install. The vulnerable parameter is the plugin configuration.

Recommendations Do not install plugins from untrusted sources. Carefully review all privileges requested during docker plugin install. Restrict access to the Docker daemon to trusted parties, following the principle of least privilege. Avoid relying on plugin privilege approval as the only control boundary for sensitive environments.