CVE-2026-33747 - Vulnerability Details

Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

Published: 2026-03-27

Score: 8.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

BuildKit allows the use of custom frontends that can send API messages to the build daemon. A malicious frontend can construct a message that causes files to be written outside the build state directory, effectively escaping the intended filesystem boundary. This flaw, classified as a file path traversal, can lead to arbitrary file writes and, depending on the content written, may enable remote code execution or privilege escalation. The CVSS score of 8.4 reflects the high severity of this improper access control weakness.

Affected Systems

The vulnerability affects BuildKit releases from moby prior to version 0.28.1. Any instance that accepts custom frontends via the #syntax directive or the BUILDKIT_SYNTAX build argument is susceptible, while well‑known, trusted frontends such as docker/dockerfile are not impacted. All builds executed with an untrusted custom frontend run in the affected versions are at risk.

Risk and Exploitability

The lack of an EPSS score and absence from the CISA KEV catalog do not diminish the risk; the flaw can be exploited by anyone who can inject or dictate a custom frontend into a BuildKit‑enabled build environment. The CVSS rating of 8.4 indicates a high likelihood of successful exploitation if the attacker can leverage the vulnerable frontend. Monitoring of build configurations and controlling frontend sources are recommended until the issue is patched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

moby

buildkit

affected

Version	Status	Constraints
`< 0.28.1`	affected	—

No data.

Vendor Product Confidence Versions

Moby

Buildkit

100%

Version	Status	Scheme	Platform
`[0,0.28.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade BuildKit to version 0.28.1 or later
Disallow custom frontends or ensure they are sourced from trusted images when using older BuildKit versions

Generated by OpenCVE AI on March 27, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4c29-8rgm-jvjj	BuildKit's Malicious frontend can cause file escape outside of storage root

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00006.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/moby/buildkit/releases/tag/v0.28.1
https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj
https://nvd.nist.gov/vuln/detail/CVE-2026-33747
https://www.cve.org/CVERecord?id=CVE-2026-33747

History

Fri, 27 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-33747 https://www.cve.org/CVERecord?id=CVE-2026-33747
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Moby Moby buildkit
Vendors & Products		Moby Moby buildkit

Fri, 27 Mar 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
Title		BuildKit vulnerable to malicious frontend causing file escape outside of storage root
Weaknesses		CWE-22
References		https://github.com/moby/buildkit/releases/tag/v0.28.1 https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj
Metrics		cvssV3_1 `{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Moby Buildkit

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T00:49:06.165Z

Updated: 2026-03-27T00:49:06.165Z

Reserved: 2026-03-23T18:30:14.124Z

Link: CVE-2026-33747

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-27T01:16:21.330

Modified: 2026-03-27T01:16:21.330

Link: CVE-2026-33747

Redhat

Severity : Moderate

Publid Date: 2026-03-27T00:49:06Z

Links: CVE-2026-33747 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:22:25Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object