Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
Published: 2026-03-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Access
Action: Patch
AI Analysis

Impact

BuildKit uses a Git URL fragment subdir component to checkout a specific subdirectory of a repository. In versions prior to 0.28.1, the tool does not fully validate this subdir, so an attacker who can influence the Git URL may cause BuildKit to read or copy files that lie outside the intended repository root, but within the same mounted filesystem. This flaw can expose sensitive files during a build, leading to disclosure of confidential data or facilitating further attacks.

Affected Systems

The vulnerability affects the BuildKit component of Docker, as bundled with the moby project. Any instance running BuildKit before version 0.28.1 and using Git URLs that specify a subpath is susceptible. BuildKit releases starting with v0.28.1 contain the fix.

Risk and Exploitability

The CVSS base score of 8.2 classifies the issue as high severity. Exploitation requires an attacker to control the Git URL used in the Dockerfile or build context; no network-based attack vector is described. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and no EPSS data is available, but the wide use of BuildKit suggests that when the subdir component is abused, the impact could be significant. There is no publicly known exploit, yet the conditions are straightforward enough that a malicious build could potentially read sensitive files.

Generated by OpenCVE AI on March 27, 2026 at 15:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BuildKit to version 0.28.1 or later
  • Avoid including subpath components in Git URLs used in Dockerfiles
  • Ensure Dockerfiles are sourced from trusted origins
  • Remove or disable use of subdir components where the Git repository is not fully trusted
  • Verify that any symlinks referenced by the subdir component do not point outside the intended directory

Generated by OpenCVE AI on March 27, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4vrq-3vrq-g6gg BuildKit Git URL subdir component can cause access to restricted files
History

Mon, 20 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mobyproject
Mobyproject buildkit
CPEs cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:*
Vendors & Products Mobyproject
Mobyproject buildkit
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Moby
Moby buildkit
Vendors & Products Moby
Moby buildkit

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
Title BuildKit Git URL subdir component can cause access to restricted files
Weaknesses CWE-22
CWE-59
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Moby Buildkit
Mobyproject Buildkit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:58:28.764Z

Reserved: 2026-03-23T18:30:14.124Z

Link: CVE-2026-33748

cve-icon Vulnrichment

Updated: 2026-03-27T18:56:03.208Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T15:16:57.127

Modified: 2026-04-20T12:37:46.220

Link: CVE-2026-33748

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T14:00:21Z

Links: CVE-2026-33748 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:01:58Z

Weaknesses