← Back to CVEs
CVE-2026-33747
HIGH8.4
Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
CVE Details
CVSS v3.1 Score8.4
SeverityHIGH
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorLOCAL
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published3/27/2026
Last Modified4/1/2026
Sourcenvd
Honeypot Sightings0
Affected Products
mobyproject:buildkit
Weaknesses (CWE)
CWE-22
References
https://github.com/moby/buildkit/releases/tag/v0.28.1(security-advisories@github.com)
https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.