CVE-2026-35029

ADVISORY - github

Summary

Impact

The /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to do the following:

Modify proxy configuration and environment variables
Register custom pass-through endpoint handlers pointing to attacker-controlled Python code, achieving remote code execution
Read arbitrary server files by setting UI_LOGO_PATH and fetching via /get_image
Take over other priveleged accounts by overwriting UI_USERNAME and UI_PASSWORD environment variables

Patches

Fixed in v1.83.0. The endpoint now requires proxy_admin role.

Workarounds

Restrict API key distribution. There is no configuration-level workaround.

EPSS Score⁠: 0.1494 (0.946)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-863⁠

Incorrect Authorization

ADVISORY - github

CWE-863⁠

Incorrect Authorization

ADVISORY - redhat

CWE-425⁠

Direct Request ('Forced Browsing')

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.