Vulnerability Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mobyproject | Buildkit | < 0.28.1 |
Related Weaknesses (CWE)
References
- https://github.com/moby/buildkit/releases/tag/v0.28.1ProductRelease Notes
- https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjjMitigationVendor Advisory
FAQ
What is CVE-2026-33747?
CVE-2026-33747 is a vulnerability with a CVSS score of 8.4 (HIGH). BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can ...
How severe is CVE-2026-33747?
CVE-2026-33747 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33747?
Check the references section above for vendor advisories and patch information. Affected products include: Mobyproject Buildkit.