CVE-2026-33748
HIGH7.5EPSS 0.03%BuildKit Git URL subdir component can cause access to restricted files
Published: 3/26/2026Modified: 5/5/2026
Description
### Impact Insufficient validation of Git URL fragment subdir components (`<url>#<ref>:<subdir>`, [docs](https://docs.docker.com/build/concepts/context/#url-fragments)) may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. ### Patches The issue has been fixed in version v0.28.1 ### Workarounds The issue affects only builds that use Git URLs with a subpath component. Avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
Affected packages (3)
- Debian/docker.iofrom 0
- Go/github.com/moby/buildkitfrom 0, < 0.28.1
- Go/github.com/moby/buildkitfrom 0, < 0.28.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33748
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-33748
- PATCHhttps://github.com/moby/buildkit
- WEBhttps://docs.docker.com/build/concepts/context/#url-fragments
- WEBhttps://github.com/moby/buildkit/releases/tag/v0.28.1
- WEBhttps://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg