Platform
docker
Component
docker
Fixed in
0.28.2
0.28.1
CVE-2026-33748 describes a path traversal vulnerability affecting Docker BuildKit. This flaw allows unauthorized access to files outside the intended Git repository root due to insufficient validation of Git URL fragment subdir components. This issue impacts builds utilizing Git URLs with a subpath component. The vulnerability is fixed in BuildKit version 0.28.1.
CVE-2026-33748 in Docker relates to insufficient validation of Git URL fragment subdirectory components (<url>#<ref>:<subdir>, [docs](https://docs.docker.com/build/concepts/context/#url-fragments)). This may allow access to files outside the checked-out Git repository root. The access is limited to files on the same mounted filesystem. An attacker could potentially leverage this to read sensitive information if they can control the Git URL used in a Dockerfile. This vulnerability highlights the importance of carefully controlling the sources of code used in your Docker builds.
Exploitation requires control over the Git URL used in the Dockerfile. This could occur if a Dockerfile uses an external, untrusted Git repository or if a malicious actor can modify the Dockerfile. By crafting a malicious Git URL with a subdirectory fragment, an attacker could potentially access files outside the intended repository during the build process. The success of exploitation depends on the attacker’s ability to influence the build context and the permissions of the mounted filesystem.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The issue is fixed in version v0.28.1 of Docker. The primary mitigation is to upgrade to this version or later. If immediate upgrading is not possible, avoid using Git URLs with subpath components in Dockerfiles, especially when sourcing from untrusted sources. Regularly review and audit your Dockerfiles to ensure they adhere to secure coding practices. Consider implementing stricter access controls and build environment isolation to further reduce the potential impact of this vulnerability.
Actualice BuildKit a la versión 0.28.1 o posterior. Evite construir Dockerfiles desde fuentes no confiables o usar el componente subdir de un repositorio Git no confiable donde el componente subdir podría apuntar a un enlace simbólico.
Vulnerability analysis and critical alerts directly to your inbox.
A Git URL fragment is a mechanism to specify a subdirectory or a specific reference within a Git repository when used in a Dockerfile. It follows the format <url>#<ref>:<subdir>.
If you are using Docker and your Dockerfiles utilize Git URLs with subdirectories, you may be affected. Check your Docker version and upgrade to 0.28.1 or later.
It refers to the filesystem where the Docker build process is running. Access is limited to files within that filesystem.
Currently, there are no specific automated tools for this. Manual review of Dockerfiles is the best approach at this time.
Isolate the affected system, review Docker and system logs for suspicious activity, and consider restoring from a clean backup.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.