Docker: `PUT /containers/{id}/archive` executes container binary on the host
CVE-2026-41567

7.2HIGH

Key Information:

Vendor: Moby
Status: Moby/v2/daemon; Docker Engine; Docker/daemon
Vendor: CVE Published:; 5 June 2026

What is CVE-2026-41567?

Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via PUT /containers/{id}/archive or piped through docker cp -, the daemon resolves decompression binaries (such as xz or unpigz) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the PUT /containers/{id}/archive endpoint, and avoiding piping compressed archives into containers created from untrusted images

Affected Version(s)

Docker Engine < 29.5.1

docker/daemon <= 28.5.2

moby/v2/daemon < 2.0.0-beta.14

References

https://github.com/moby/moby/security/advisories/GHSA-x86...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
Apr 21, 2026

CVE-2026-41567 Data

JSON