diff --git a/docs/docs/30-administration/10-server-config.md b/docs/docs/30-administration/10-server-config.md
index c11d91f52..631a96f27 100644
--- a/docs/docs/30-administration/10-server-config.md
+++ b/docs/docs/30-administration/10-server-config.md
@@ -354,6 +354,8 @@ a user can log into Woodpecker, without re-authentication.
 
 Docker images to run in privileged mode. Only change if you are sure what you do!
 
+You should specify the tag of your images too, as this enforces exact matches.
+
 ### WOODPECKER_PLUGINS_TRUSTED_CLONE
 
 > Defaults are defined in [shared/constant/constant.go](https://github.com/woodpecker-ci/woodpecker/blob/main/shared/constant/constant.go)
diff --git a/docs/docs/91-migrations.md b/docs/docs/91-migrations.md
index 97eb8b8d2..2cc396303 100644
--- a/docs/docs/91-migrations.md
+++ b/docs/docs/91-migrations.md
@@ -5,7 +5,7 @@ Some versions need some changes to the server configuration or the pipeline conf
 ## `next`
 
 - `WOODPECKER_DEFAULT_CLONE_IMAGE` got depricated use `WOODPECKER_DEFAULT_CLONE_PLUGIN`
-- Check trusted-clone-plugins by image name and tag (if tag is set)
+- Check trusted-clone- and priviledged-plugins by image name and tag (if tag is set)
 - Remove `plugins/docker`, `plugins/gcr` and `plugins/ecr` from the default list of privileged plugins ([modify the list via config if needed](./30-administration/10-server-config.md#woodpecker_escalate)).
 - Secret filters for plugins now check against tag if specified
 - Removed `WOODPECKER_DEV_OAUTH_HOST` and `WOODPECKER_DEV_GITEA_OAUTH_URL` use `WOODPECKER_EXPERT_FORGE_OAUTH_HOST`
diff --git a/pipeline/frontend/yaml/compiler/convert.go b/pipeline/frontend/yaml/compiler/convert.go
index d01175368..bab841d8a 100644
--- a/pipeline/frontend/yaml/compiler/convert.go
+++ b/pipeline/frontend/yaml/compiler/convert.go
@@ -138,7 +138,7 @@ func (c *Compiler) createProcess(container *yaml_types.Container, stepType backe
 		environment[requested] = secretValue
 	}
 
-	if utils.MatchImage(container.Image, c.escalated...) && container.IsPlugin() {
+	if utils.MatchImageDynamic(container.Image, c.escalated...) && container.IsPlugin() {
 		privileged = true
 	}