CVE-2026-33748
HIGHCVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
### Impact Insufficient validation of Git URL fragment subdir components (`<url>#<ref>:<subdir>`, [docs](https://docs.docker.com/build/concepts/context/#url-fragments)) may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. ### Patches The issue has been fixed in version v0.28.1 ### Workarounds The issue affects only builds that use Git URLs with a subpath component. Avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.
Analysis
Moby BuildKit versions prior to v0.28.1 allow directory traversal attacks through maliciously crafted Git URL fragment subdir components, enabling attackers to access files outside the intended Git repository root during Docker builds. The path traversal is constrained to the same mounted filesystem but bypasses intended repository boundaries when processing Git URLs with subpath fragments. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Moby BuildKit and document current versions in use. Within 7 days: Upgrade Moby BuildKit to v0.28.1 or later across all development, CI/CD, and build infrastructure. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today