Vulnerability Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mobyproject | Buildkit | < 0.28.1 |
Related Weaknesses (CWE)
References
- https://docs.docker.com/build/concepts/context/#url-fragmentsProduct
- https://github.com/moby/buildkit/releases/tag/v0.28.1ProductRelease Notes
- https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6ggMitigationVendor Advisory
FAQ
What is CVE-2026-33748?
CVE-2026-33748 is a vulnerability with a CVSS score of 7.5 (HIGH). BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir compo...
How severe is CVE-2026-33748?
CVE-2026-33748 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33748?
Check the references section above for vendor advisories and patch information. Affected products include: Mobyproject Buildkit.