← Retour aux CVEs
CVE-2026-33747
HIGH8.4
Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
Details CVE
Score CVSS v3.18.4
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueLOCAL
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie3/27/2026
Derniere modification4/1/2026
Sourcenvd
Observations honeypot0
Produits affectes
mobyproject:buildkit
Faiblesses (CWE)
CWE-22
References
https://github.com/moby/buildkit/releases/tag/v0.28.1(security-advisories@github.com)
https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.