CVE-2026-33748Path Traversal in Buildkit

CWE-22Path TraversalCWE-59Link Following19 documents5 sources
Severity
8.2HIGHNVD
EPSS
0.0%
top 94.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Moby BuildkitGithub.com Moby Buildkit
Timeline
PublishedMar 27

Description

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Docke

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5moby/buildkit< 0.28.1

🔴Vulnerability Details

3
OSV
BuildKit Git URL subdir component can cause access to restricted files in github.com/moby/buildkit2026-03-27
OSV
BuildKit Git URL subdir component can cause access to restricted files2026-03-26
GHSA
BuildKit Git URL subdir component can cause access to restricted files2026-03-26

📋Vendor Advisories

1
Red Hat
github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components2026-03-27

🕵️Threat Intelligence

14
Wiz
CVE-2026-23992 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-33748 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-24686 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2025-67499 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-24117 Impact, Exploitability, and Mitigation Steps | Wiz