CVE-2026-33747
Published: 27 March 2026
Summary
CVE-2026-33747 is a high-severity Path Traversal (CWE-22) vulnerability in Mobyproject Buildkit. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the path traversal vulnerability by requiring timely remediation through upgrading BuildKit to v0.28.1 or later.
Prevents exploitation of the path traversal in custom frontend API messages by validating file paths and inputs to block writes outside the state directory.
Reduces attack surface by prohibiting nonessential capabilities like untrusted custom BuildKit frontends via #syntax or --build-arg BUILDKIT_SYNTAX.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary file write outside the sandboxed BuildKit state directory, directly facilitating local privilege escalation to achieve full system compromise.
NVD Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be…
more
written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
Deeper analysisAI
CVE-2026-33747 is a path traversal vulnerability (CWE-22) in BuildKit, a toolkit for efficiently converting source code to build artifacts. The flaw affects versions prior to 0.28.1 and occurs when using a custom BuildKit frontend specified via `#syntax` directives or the `--build-arg BUILDKIT_SYNTAX` option. In such cases, a malicious frontend can craft an API message that writes files outside the intended BuildKit state directory for the execution context. Well-known frontends like `docker/dockerfile` are explicitly not affected.
The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high impact with low attack complexity and no privileges required. A local attacker who controls or influences a custom, untrusted BuildKit frontend can exploit it during the build process to overwrite or create arbitrary files outside the sandboxed state directory, potentially leading to full system compromise through privilege escalation, data corruption, or denial of service.
The issue was addressed in BuildKit version 0.28.1, as detailed in the project's release notes and security advisory. Users should upgrade to v0.28.1 or later and avoid untrusted custom frontends when possible. Relevant resources include the release announcement at https://github.com/moby/buildkit/releases/tag/v0.28.1 and the GitHub Security Advisory at https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj.
Details
- CWE(s)