CVE-2026-33747
Received Received - Intake
Directory Traversal in BuildKit Frontend Allows Arbitrary File Write

Publication date: 2026-03-27

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33747
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mobyproject buildkit to 0.28.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33747 is a high-severity vulnerability in BuildKit versions up to and including v0.28.0. It occurs when using a custom BuildKit frontend that can craft a malicious API message to write files outside the designated BuildKit state directory for the execution context. This means that an untrusted frontend can cause files to be written outside the intended storage area, potentially escaping the sandboxed environment.

The vulnerability requires the use of untrusted BuildKit frontends specified via the #syntax directive or the --build-arg BUILDKIT_SYNTAX option. Well-known frontend images like docker/dockerfile are not affected. The issue was fixed in BuildKit version 0.28.1.

Impact Analysis

This vulnerability can have serious impacts including high risks to confidentiality, integrity, and availability. Because it allows unauthorized file writes outside the BuildKit state directory, an attacker using an untrusted frontend could overwrite or create files in locations they should not have access to.

Such unauthorized file writes could lead to system compromise, data corruption, or denial of service by affecting critical files or system components.

Mitigation Strategies

To mitigate this vulnerability, upgrade BuildKit to version 0.28.1 or later, where the issue has been fixed.

Avoid using untrusted custom BuildKit frontends specified via the #syntax directive or the --build-arg BUILDKIT_SYNTAX option, as the vulnerability is triggered only when these are used.

Use well-known frontend images such as docker/dockerfile, which are not affected by this vulnerability.

Compliance Impact

This vulnerability allows an untrusted BuildKit frontend to write files outside the designated BuildKit state directory, leading to unauthorized file writes that impact confidentiality, integrity, and availability.

Such unauthorized file access and modification could potentially lead to exposure or alteration of sensitive data, which may affect compliance with data protection regulations like GDPR and HIPAA that require strict controls over data confidentiality and integrity.

However, the vulnerability requires using an untrusted frontend and does not affect well-known frontends, which may limit the risk in controlled environments.

Detection Guidance

This vulnerability occurs when using an untrusted BuildKit frontend specified via the #syntax directive or the --build-arg BUILDKIT_SYNTAX option. Detection involves verifying the BuildKit version and the usage of custom frontends.

  • Check the BuildKit version to ensure it is v0.28.1 or later, where the vulnerability is fixed.
  • Inspect build commands or Dockerfiles for usage of the #syntax directive or the --build-arg BUILDKIT_SYNTAX option with untrusted frontend images.
  • Example command to check BuildKit version: `buildkitd --version` or `buildctl --version`.
  • Search build scripts or Dockerfiles for the #syntax directive: `grep -r '#syntax' ./`.
  • Search for the --build-arg BUILDKIT_SYNTAX usage in build commands or CI/CD pipelines.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33747. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart