High severity8.4NVD Advisory· Published Mar 27, 2026· Updated Apr 1, 2026
CVE-2026-33747
CVE-2026-33747
Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with #syntax or --build-arg BUILDKIT_SYNTAX. Using these options with a well-known frontend image like docker/dockerfile is not affected.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/moby/buildkitGo | < 0.28.1 | 0.28.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-4c29-8rgm-jvjjghsaADVISORY
- github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjjnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-33747ghsaADVISORY
- github.com/moby/buildkit/releases/tag/v0.28.1nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.