CVE-2026-33747CRITICAL 9.8EPSS p38.7%

CVE-2026-33747CVE-2026-33747

Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.50% probability of exploitation · percentile 38.7% · 2026-06-19T12:03:05Z
Published2026-03-27
Last modified2026-04-01

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/moby/buildkit/releases/tag/v0.28.1
  2. https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28406
CVE
CVE-2026-33588
CVE
CVE-2025-47273
CVE
CVE-2026-45571
CVE
CVE-2026-41326
CVE
CVE-2025-27614
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.