CVE-2026-33748 Overview
CVE-2026-33748 is a Path Traversal vulnerability in BuildKit, a toolkit for converting source code to build artifacts. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Attackers can exploit insufficient validation in Git URL subdir components to access sensitive files outside the repository root, potentially exposing credentials, configuration files, or other sensitive data on the same mounted filesystem.
Affected Products
- BuildKit versions prior to 0.28.1
- Docker builds using Git URLs with subpath components
- Container build pipelines utilizing BuildKit with untrusted Git sources
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33748 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33748
Vulnerability Analysis
This Path Traversal vulnerability exists due to insufficient validation of the subdir component in Git URL fragments when BuildKit processes build contexts. When a user specifies a Git URL with a subpath component (using the #:<subdir> syntax), BuildKit fails to properly validate whether the specified subdirectory path remains within the boundaries of the checked-out repository.
The vulnerability specifically affects builds that use Git URLs with a subpath component, such as https://github.com/user/repo.git#:<subdir>. An attacker can craft a malicious subdir value containing path traversal sequences or symlinks that point outside the repository root.
Access through this vulnerability is limited to files on the same mounted filesystem as the repository. This means attackers cannot traverse across filesystem boundaries, but can potentially access sensitive configuration files, credentials, or other data stored on the same volume.
Root Cause
The root cause is inadequate input validation in the Git URL fragment parser. When processing the subdir component of a Git URL, BuildKit does not sufficiently verify that the resolved path stays within the checked-out repository directory. The validation fails to account for symlinks within the repository that could point to arbitrary locations on the filesystem, or for insufficient normalization of path traversal sequences.
Attack Vector
The attack is network-based and does not require authentication. An attacker can exploit this vulnerability by:
- Creating a malicious Git repository containing a symlink in a subdirectory that points outside the repository
- Convincing a victim to build a Dockerfile from the attacker-controlled repository using a Git URL with the malicious subdir component
- The symlink is followed during the build process, allowing the attacker to include files from outside the repository in the build context
The vulnerability requires the build process to use Git URLs with subpath components from untrusted sources. If an organization only builds from trusted, internal repositories, the risk is significantly reduced.
For detailed technical information about this vulnerability, see the GitHub Security Advisory GHSA-4vrq-3vrq-g6gg and the Docker Context Documentation.
Detection Methods for CVE-2026-33748
Indicators of Compromise
- Build logs showing unexpected file paths being accessed outside repository directories
- Git URL fragments containing suspicious path traversal sequences (../) or symlink references
- Anomalous build context sizes that indicate additional files being included
- Error messages indicating attempts to access files outside the expected build context
Detection Strategies
- Monitor build logs for Git URLs containing unusual subdir components with path traversal patterns
- Implement file integrity monitoring on sensitive configuration directories that should not be accessed during builds
- Audit build pipelines for use of external Git URLs with subpath components from untrusted sources
- Review BuildKit version deployments across infrastructure to identify vulnerable instances
Monitoring Recommendations
- Enable verbose logging for BuildKit operations to capture full Git URL parameters
- Implement alerting for builds that reference Git repositories from external or untrusted domains
- Monitor for symlinks being created or followed during container build processes
- Track file access patterns during builds that deviate from expected repository contents
How to Mitigate CVE-2026-33748
Immediate Actions Required
- Upgrade BuildKit to version 0.28.1 or later immediately
- Audit all build pipelines for use of Git URLs with subdir components from untrusted sources
- Review recent builds for potential exploitation attempts by examining build logs
- Temporarily disable builds from external Git repositories until patching is complete
Patch Information
The vulnerability has been fixed in BuildKit version v0.28.1. Organizations should upgrade to this version or later to remediate the vulnerability. The fix addresses the insufficient validation of Git URL fragment subdir components by implementing proper path validation and symlink handling.
For official release information, see the GitHub BuildKit Release v0.28.1.
Workarounds
- Avoid building Dockerfiles from untrusted sources or Git repositories
- Do not use the subdir component with Git URLs from untrusted repositories where the subdir could point to a symlink
- Implement network segmentation to restrict build processes from accessing sensitive filesystems
- Use local build contexts instead of Git URLs when building from external sources
# Configuration example
# Use local context instead of Git URL with subdir
# Instead of: docker build https://github.com/user/repo.git#:subdir
# Clone and build locally:
git clone https://github.com/user/repo.git
cd repo/subdir
docker build .
# Or upgrade BuildKit to patched version
# Check current version
buildctl --version
# Pull updated buildkit image
docker pull moby/buildkit:v0.28.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
