Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.4
Docker BuildKit Malware Can Write Files Outside Designated Area
GHSA-4c29-8rgm-jvjj
CVE-2026-33747
Summary
Docker BuildKit's custom frontend can be tricked into saving files in the wrong place, potentially causing data loss. This can happen if you use a custom frontend with Docker. To stay safe, use a known and trusted frontend or upgrade to version 0.28.1 and later.
What to do
- Update github.com moby to version 0.28.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | moby | <= 0.28.1 | 0.28.1 |
Original title
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend c...
Original description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.
ghsa CVSS3.1
8.4
Vulnerability type
CWE-22
Path Traversal
Published: 27 Mar 2026 · Updated: 27 Mar 2026 · First seen: 26 Mar 2026