Moby BuildKit v0.28.1 Patches Critical Path Traversal Vulnerability (CVE-2026-33747)

A critical security flaw in the Moby BuildKit toolchain has been patched, exposing container build pipelines to potential file system compromise. The vulnerability, tracked as CVE-2026-33747, allows a malicious or compromised BuildKit frontend to write files outside the designated BuildKit state directory. This path traversal flaw directly threatens the integrity of container image builds and the underlying host systems orchestrating them.

The vulnerability resides in the API message handling of custom BuildKit frontends. When a project uses an untrusted frontend specified via `#syntax` directives or the `--frontend` flag, a crafted API request can bypass directory constraints. The issue has been resolved in version v0.28.1 of the `github.com/moby/buildkit` module. The update is flagged as a security priority in dependency management systems like RenovateBot, which automatically generates pull requests to migrate from the vulnerable v0.28.0.

This patch is a mandatory update for any development or CI/CD pipeline utilizing BuildKit for Docker image construction. The exploit requires a specific attack vector—an untrusted frontend—limiting immediate widespread risk but creating a severe liability for teams incorporating third-party or user-supplied build components. The fix underscores the persistent security challenges in layered build systems where a single compromised component can escalate to host-level file system access. Teams must audit their build configurations for custom frontend usage and apply the v0.28.1 update to close this path traversal window.