CVE-2026-33748

CVSS v4.0

8.2

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions BuildKit versions prior to 0.28.1

Description Insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. This issue affects builds that use Git URLs with a subpath component. The vulnerable component is the handling of the subdir component within Git URLs. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.

Recommendations Update to BuildKit version 0.28.1 or later. Avoid building Dockerfiles from untrusted sources. Avoid using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.

Exploit

Fix

Path traversal

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-59

Related Identifiers

BDU:2026-07210

CLEANSTART-2026-FK40318

CLEANSTART-2026-HI89495

CVE-2026-33748

GHSA-4VRQ-3VRQ-G6GG

GO-2026-4859

OPENSUSE-SU-2026:10651-1

OPENSUSE-SU-2026:20702-1

OPENSUSE-SU-2026:20809-1

OPENSUSE-SU-2026:20814-1

SUSE-SU-2026:1205-1

SUSE-SU-2026:2120-1

SUSE-SU-2026:21851-1

USN-8230-1

Affected Products

Buildkit

Linuxmint

Red Os

Ubuntu

CVE-2026-33748

Weakness Enumeration

Related Identifiers

Affected Products

References · 132