Path Traversal in Moby Buildkit

CVE-2026-33748

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (9.6th percentile) — read the EPSS interpretation.

Affected products

Moby Buildkit — versions < 0.28.1

Weakness classification (CWE)

References

https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg (x_refsource_CONFIRM)
https://docs.docker.com/build/concepts/context/#url-fragments (x_refsource_MISC)
https://github.com/moby/buildkit/releases/tag/v0.28.1 (x_refsource_MISC)