Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Docker’s 1MB authz bypass: are your container controls enough?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: A one-megabyte size check in Docker Engine silently drops oversized request bodies before AuthZ plugins can inspect them, enabling a single HTTP request to create privileged containers with host access, according to Cyera. The failure shows that middleware which truncates input without failing closed turns authorization into a blind spot, not a control.

NHIMG editorial — based on content published by Cyera: One Megabyte to Root: How a Size Check Broke Docker’s Last Line of Defense

By the numbers:

Questions worth separating out

Q: What breaks when Docker AuthZ plugins do not see the full request body?

A: The authorization decision breaks because the plugin evaluates incomplete evidence while the daemon still executes the full container request.

Q: Why do oversized request bodies create a security risk in container platforms?

A: Oversized request bodies become dangerous when the security gate truncates them but still lets execution continue.

Q: How can security teams tell whether their container controls are really working?

A: They should test whether the enforcement point receives the exact same request that the daemon acts on, including edge cases such as oversized bodies, chunked transfer, and empty-body anomalies.

Practitioner guidance

  • Audit every body-handling authorization path Check Docker, proxy, and API gateway controls for any path where oversized or truncated input reaches execution while the policy layer sees incomplete data.
  • Require fail-closed behavior on oversize requests Reject requests that exceed policy inspection limits before they reach the daemon, rather than forwarding an empty or partial body to the authorizer.
  • Test container policy with padded requests Use oversized container-create requests to confirm that privileged mode, host mounts, and command overrides are visible to the enforcement layer under real network transport conditions.

That is the governance gap teams need to close in Docker API design, gateway inspection, and workload identity enforcement?

👉 Read Cyera’s analysis of Docker’s 1MB authorization bypass and host access risk →

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Share: