CVE-2026-33747
ADVISORY - githubSummary
Impact
When using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context.
Patches
The issue has been fixed in v0.28.1+
Workarounds
Issue requires using an untrusted BuildKit frontend set with #syntax or --build-arg BUILDKIT_SYNTAX. Using these options with a well-known frontend image like docker/dockerfile is not affected.
Common Weakness Enumeration (CWE)
ADVISORY - github
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
GitHub
CREATED
UPDATED
ADVISORY IDGHSA-4c29-8rgm-jvjj
EXPLOITABILITY SCORE
2.5
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)