CVE-2026-33747 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-33747 PUBLISHED CVSS 8.399999618530273 HIGH

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

EPSS 0.01% · 0.4th percentile

Risk Scores

CVSS v3.1

8.399999618530273

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.01%

0.4th percentile

Affected Products

Vendor	Product	Versions
github.com	moby/buildkit	0, 0, 0
mobyproject	buildkit	0
moby	buildkit	< 0.28.1, < 0.28.1, < 0.28.1

Timeline

Mar 26, 2026 CVE Published
Mar 27, 2026 CVE Updated
Mar 27, 2026 Coalition ESS Score
Mar 27, 2026 PoC Published
Mar 27, 2026 PoC Published
Mar 27, 2026 Security Advisory
Mar 28, 2026 EPSS Score
Mar 28, 2026 PoC Published
Apr 1, 2026 PoC Published
Apr 11, 2026 PoC Published
May 6, 2026 PoC Published

References

Open in Interactive Console →