Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

INFO

Published Date :

2026-03-27T00:49:06.165Z

Last Modified :

2026-03-27T00:49:06.165Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33747 vulnerability.

Vendors Products
Moby
  • Buildkit
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33747.

URL Resource
https://github.com/moby/buildkit/releases/tag/v0.28.1 cve-icon cve-icon
https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact