Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
Published: 2026-03-27
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: File system escape outside of BuildKit state directory
Action: Apply patch
AI Analysis

Impact

The vulnerability allows an attacker to cause a BuildKit frontend to write files outside the intended state directory by sending a crafted API message. This provides the ability to overwrite or create files in arbitrary locations, potentially enabling privilege escalation or system compromise. The weakness is classified as CWE-22: Path Traversal. The severity is CVSS 8.4, indicating a high likelihood of impact if exploited.

Affected Systems

The affected product is BuildKit from the Moby project, versions prior to 0.28.1. Any installation that relies on custom frontends specified with #syntax or --build-arg BUILDKIT_SYNTAX is susceptible. Using the well‑known dockerfile frontend does not trigger the flaw.

Risk and Exploitability

The flaw was fixed in BuildKit v0.28.1, so upgrading eliminates the risk. Exploitation requires an untrusted frontend configuration, meaning the attack vector is through build scripts that pull malicious frontends. The EPSS score is below 1%, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, systems running vulnerable versions should be patched promptly.

Generated by OpenCVE AI on April 2, 2026 at 04:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BuildKit to v0.28.1 or newer
  • Restrict the use of untrusted frontends by removing #syntax directives or ensuring BUILDKIT_SYNTAX references trusted images

Generated by OpenCVE AI on April 2, 2026 at 04:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4c29-8rgm-jvjj BuildKit's Malicious frontend can cause file escape outside of storage root
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Mobyproject
Mobyproject buildkit
CPEs cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:*
Vendors & Products Mobyproject
Mobyproject buildkit

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Moby
Moby buildkit
Vendors & Products Moby
Moby buildkit

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
Title BuildKit vulnerable to malicious frontend causing file escape outside of storage root
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Moby Buildkit
Mobyproject Buildkit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:59:06.907Z

Reserved: 2026-03-23T18:30:14.124Z

Link: CVE-2026-33747

cve-icon Vulnrichment

Updated: 2026-03-27T13:25:57.488Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T01:16:21.330

Modified: 2026-04-01T14:34:48.210

Link: CVE-2026-33747

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T00:49:06Z

Links: CVE-2026-33747 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:47Z

Weaknesses