Cyber Posture

CVE-2026-33748

High

Published: 27 March 2026

Published
27 March 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0003 8.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33748 is a high-severity Path Traversal (CWE-22) vulnerability in Mobyproject Buildkit. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the insufficient validation of Git URL fragment subdir components to block path traversal access outside the repository root.

SI-2 Flaw Remediation good match
prevent

Ensures timely patching of BuildKit to version 0.28.1 or later, which fixes the path traversal flaw.

AC-6 Least Privilege partial match
prevent

Limits the BuildKit build process to least privilege, restricting potential unauthorized file access on the same filesystem even if traversal succeeds.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Path traversal in network-accessible BuildKit enables remote exploitation of a build service (T1190) to read arbitrary local files (T1005), including credentials from files (T1552.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository…

more

root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.

Deeper analysisAI

CVE-2026-33748 is a path traversal vulnerability (CWE-22, CWE-59) in BuildKit, a toolkit for efficiently converting source code to build artifacts, affecting versions prior to 0.28.1. The flaw stems from insufficient validation of Git URL fragment subdir components during builds, which can enable access to files outside the checked-out Git repository root. Access is restricted to files on the same mounted filesystem. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

The vulnerability can be exploited by any network-accessible attacker who can influence a BuildKit build process using a malicious Git URL containing a subpath (subdir) component. This typically occurs when building Dockerfiles from untrusted sources or Git repositories where the subdir points to a symlink. Successful exploitation allows the attacker to read sensitive files outside the intended repository context on the same filesystem, potentially exposing configuration data, credentials, or other host information during the build.

BuildKit addresses the issue in version v0.28.1, as detailed in the release notes and associated GitHub Security Advisory (GHSA-4vrq-3vrq-g6gg). As a workaround, practitioners should avoid building from untrusted Dockerfiles or Git repositories with untrusted subdir components. Additional context on Git URL fragments is available in Docker documentation.

Details

CWE(s)
CWE-22CWE-59

Affected Products

mobyproject
buildkit
≤ 0.28.1

CVEs Like This One

CVE-2026-33747Same product: Mobyproject Buildkit
CVE-2026-3585Shared CWE-22
CVE-2026-34040Same vendor: Mobyproject
CVE-2026-26217Shared CWE-22
CVE-2026-30403Shared CWE-22
CVE-2026-28679Shared CWE-22
CVE-2026-30869Shared CWE-22
CVE-2026-24046Shared CWE-22, CWE-59
CVE-2026-33077Shared CWE-22
CVE-2026-33997Same vendor: Mobyproject

References