CVE-2026-41567: Docker: `PUT /containers/{id}/archive` executes container binary on the host
Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images
Metrics
- CVSS v3.1
- 7.2
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 3
HarborGuard Analysis
Synopsis
A path-confusion vulnerability in Docker's archive-upload path allows a malicious container image to hijack decompression binary resolution. When the Docker daemon processes a compressed archive uploaded via `PUT /containers/{id}/archive` or `docker cp -`, it incorrectly resolves binaries such as `xz` or `unpigz` from the container filesystem instead of the host filesystem. An attacker who controls the container image and can induce a user to upload a compressed archive gains arbitrary code execution with full Docker daemon privileges, including host root UID and unrestricted Linux capabilities. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Docker Engine 29.5.1 or moby v2.0.0-beta.14 reaches general availability.
HarborGuard Coverage
Detection of CVE-2026-41567 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including internally built images that layer on top of affected Moby or Docker Engine base packages. Any image in a customer registry or CI pipeline that carries a vulnerable daemon version is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 7.2 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox or ticketing integration configured by each customer org, with per-environment context attached.
AvailableBecause no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Docker Engine 29.5.1 or moby v2.0.0-beta.14 is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the fix ships.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host, or control over a container image; no network-level access to the daemon is required beyond whatever channel is used to deliver the archive.
- AuthenticationRequired
A low-privilege account with permission to call the Docker API (for example, membership in the docker group) is sufficient to trigger the vulnerable code path.
- Victim interactionRequired
A user with Docker API access must actively upload a compressed archive into the malicious container, for example via `docker cp` or a direct `PUT /containers/{id}/archive` call, making this a social-engineering or workflow-abuse vector.
- Attack complexityDetail
Exploitation depends on environmental factors: the attacker must pre-position a trojanized decompression binary inside the container image before the archive upload occurs, raising the setup bar above a trivial one-step exploit.
Blast Radius
- A successful attacker executes arbitrary binaries with the Docker daemon's privileges, which on typical deployments means host root UID.
- Full Linux capabilities available to the daemon (including CAP_SYS_ADMIN) are accessible to the injected payload, enabling host filesystem reads and writes.
- The attacker can read sensitive host files such as SSH keys, secrets mounted into other containers, and credential stores accessible to root.
- Container isolation is fully bypassed, so the attacker can inspect, modify, or kill any other container running on the same host.
How HarborGuard Handles This
Available on HarborGuard: the CVE is matched against customer images on every ingest cycle so any image carrying a vulnerable Moby or Docker Engine package version is surfaced immediately. Because no upstream fix has been published, HarborGuard monitors the advisory continuously and will trigger a patched-image rebuild the moment Docker Engine 29.5.1 or moby v2.0.0-beta.14 is released; for customers with auto-remediation enabled, that rebuild will include a regression-test run and an automatic PR opened against affected workloads. While waiting for the upstream fix, HarborGuard recommends applying the documented workarounds: restrict access to the `PUT /containers/{id}/archive` endpoint via a Docker authorization plugin, enforce network policy to limit which workloads can call the Docker socket, and gate CI pipelines on an image-provenance check that blocks containers sourced from untrusted registries from receiving archive uploads.
- moby / moby/v2/daemon< 2.0.0-beta.14
- moby / Docker Engine< 29.5.1
- docker / docker/daemon<= 28.5.2
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N