Sign In

CVE-2026-40217

ADVISORY - github

Summary

Impact

The POST /guardrails/test_custom_code endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.

Reaching the endpoint requires a proxy-admin credential in default configurations.

Patches

Fixed in 1.83.11. The hand-rolled sandbox has been replaced with RestrictedPython. Upgrade to 1.83.11 or later.

Workarounds

If upgrading is not immediately possible, block POST /guardrails/test_custom_code at your reverse proxy or API gateway.

References

EPSS Score: 0.00277 (0.511)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-420

Unprotected Alternate Channel

ADVISORY - github

CWE-420

Unprotected Alternate Channel

CWE-913

Improper Control of Dynamically-Managed Code Resources

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in