Code Execution Vulnerability in BuildKit by Moby
CVE-2026-33747

8.4HIGH

Key Information:

Vendor: Moby
Status: Buildkit
Vendor: CVE Published:; 27 March 2026

What is CVE-2026-33747?

BuildKit, a toolset designed for efficient code to build artifacts transformation, experienced a vulnerability that allows for unauthorized file access. This occurs when utilizing a custom BuildKit frontend, which can exploit API messages crafted to write files outside of the designated BuildKit state directory. This risk is present specifically when options such as #syntax or --build-arg BUILDKIT_SYNTAX are used with an untrusted frontend. It’s important to note that using recognized frontend images, like docker/dockerfile, does not pose this threat. The issue was resolved in BuildKit version 0.28.1.

Affected Version(s)

buildkit < 0.28.1

References

https://github.com/moby/buildkit/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/moby/buildkit/releases/tag/v0.28.1

x_refsource_MISC

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33747 Data

JSON