CVE-2026-33747
Directory Traversal in BuildKit Frontend Allows Arbitrary File Write
Publication date: 2026-03-27
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mobyproject | buildkit | to 0.28.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33747 is a high-severity vulnerability in BuildKit versions up to and including v0.28.0. It occurs when using a custom BuildKit frontend that can craft a malicious API message to write files outside the designated BuildKit state directory for the execution context. This means that an untrusted frontend can cause files to be written outside the intended storage area, potentially escaping the sandboxed environment.
The vulnerability requires the use of untrusted BuildKit frontends specified via the #syntax directive or the --build-arg BUILDKIT_SYNTAX option. Well-known frontend images like docker/dockerfile are not affected. The issue was fixed in BuildKit version 0.28.1.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including high risks to confidentiality, integrity, and availability. Because it allows unauthorized file writes outside the BuildKit state directory, an attacker using an untrusted frontend could overwrite or create files in locations they should not have access to.
Such unauthorized file writes could lead to system compromise, data corruption, or denial of service by affecting critical files or system components.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade BuildKit to version 0.28.1 or later, where the issue has been fixed.
Avoid using untrusted custom BuildKit frontends specified via the #syntax directive or the --build-arg BUILDKIT_SYNTAX option, as the vulnerability is triggered only when these are used.
Use well-known frontend images such as docker/dockerfile, which are not affected by this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an untrusted BuildKit frontend to write files outside the designated BuildKit state directory, leading to unauthorized file writes that impact confidentiality, integrity, and availability.
Such unauthorized file access and modification could potentially lead to exposure or alteration of sensitive data, which may affect compliance with data protection regulations like GDPR and HIPAA that require strict controls over data confidentiality and integrity.
However, the vulnerability requires using an untrusted frontend and does not affect well-known frontends, which may limit the risk in controlled environments.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when using an untrusted BuildKit frontend specified via the #syntax directive or the --build-arg BUILDKIT_SYNTAX option. Detection involves verifying the BuildKit version and the usage of custom frontends.
- Check the BuildKit version to ensure it is v0.28.1 or later, where the vulnerability is fixed.
- Inspect build commands or Dockerfiles for usage of the #syntax directive or the --build-arg BUILDKIT_SYNTAX option with untrusted frontend images.
- Example command to check BuildKit version: `buildkitd --version` or `buildctl --version`.
- Search build scripts or Dockerfiles for the #syntax directive: `grep -r '#syntax' ./`.
- Search for the --build-arg BUILDKIT_SYNTAX usage in build commands or CI/CD pipelines.