{ "threat_severity" : "Moderate", "public_date" : "2026-03-27T14:00:21Z", "bugzilla" : { "description" : "github.com/moby/buildkit: BuildKit: Unauthorized file access via Git URL fragment subdir components", "id" : "2452271", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2452271" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-22", "details" : [ "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.", "A flaw was found in BuildKit. Insufficient validation of Git URL fragment subdirectory components may allow a remote attacker to access files outside the checked-out Git repository root. This access is limited to files on the same mounted filesystem. This vulnerability could lead to unauthorized information disclosure." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift Service Mesh 3", "release_date" : "2026-04-21T00:00:00Z", "advisory" : "RHSA-2026:9440", "cpe" : "cpe:/a:redhat:service_mesh:3.0::el9", "package" : "openshift-service-mesh/istio-proxyv2-rhel9:1776240392" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.1", "release_date" : "2026-04-21T00:00:00Z", "advisory" : "RHSA-2026:9448", "cpe" : "cpe:/a:redhat:service_mesh:3.1::el9", "package" : "openshift-service-mesh/istio-proxyv2-rhel9:1776315466" }, { "product_name" : "Red Hat OpenShift Service Mesh 3.2", "release_date" : "2026-04-21T00:00:00Z", "advisory" : "RHSA-2026:9453", "cpe" : "cpe:/a:redhat:service_mesh:3.2::el9", "package" : "openshift-service-mesh/istio-proxyv2-rhel9:1776291540" }, { "product_name" : "Red Hat Trusted Artifact Signer 1.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10125", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1.3::el9", "package" : "rhtas/client-server-rhel9:1776339099" } ], "package_state" : [ { "product_name" : "Assisted Installer for Red Hat OpenShift Container Platform 2", "fix_state" : "Affected", "package_name" : "assisted/agent-preinstall-image-builder-rhel9", "cpe" : "cpe:/a:redhat:assisted_installer:2" }, { "product_name" : "Confidential Compute Attestation", "fix_state" : "Affected", "package_name" : "openshift-sandboxed-containers/osc-must-gather-rhel9", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1" }, { "product_name" : "Kernel Module Management Operator for Red Hat Openshift", "fix_state" : "Not affected", "package_name" : "kmm/kernel-module-management-must-gather-rhel9", "cpe" : "cpe:/a:redhat:kernel_module_management:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/cluster-logging-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/cluster-logging-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Logical Volume Manager Storage", "fix_state" : "Not affected", "package_name" : "lvms4/lvms-must-gather-rhel9", "cpe" : "cpe:/a:redhat:lvms:4" }, { "product_name" : "Migration Toolkit for Applications 8", "fix_state" : "Affected", "package_name" : "mta/mta-cli-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8" }, { "product_name" : "Migration Toolkit for Applications 8", "fix_state" : "Affected", "package_name" : "mta/mta-discovery-addon-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8" }, { "product_name" : "Migration Toolkit for Containers", "fix_state" : "Affected", "package_name" : "rhmtc/openshift-migration-log-reader-rhel8", "cpe" : "cpe:/a:redhat:rhmt:1" }, { "product_name" : "Migration Toolkit for Containers", "fix_state" : "Affected", "package_name" : "rhmtc/openshift-migration-must-gather-rhel8", "cpe" : "cpe:/a:redhat:rhmt:1" }, { "product_name" : "Migration Toolkit for Virtualization", "fix_state" : "Will not fix", "package_name" : "migration-toolkit-virtualization/mtv-must-gather-rhel8", "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2" }, { "product_name" : "Migration Toolkit for Virtualization", "fix_state" : "Will not fix", "package_name" : "mtv-candidate/mtv-must-gather-rhel8", "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2" }, { "product_name" : "Multicluster Engine for Kubernetes", "fix_state" : "Affected", "package_name" : "multicluster-engine/must-gather-rhel9", "cpe" : "cpe:/a:redhat:multicluster_engine" }, { "product_name" : "Network Observability Operator", "fix_state" : "Not affected", "package_name" : "network-observability/network-observability-cli-rhel9", "cpe" : "cpe:/a:redhat:network_observ_optr:1" }, { "product_name" : "Node HealthCheck Operator", "fix_state" : "Affected", "package_name" : "workload-availability/node-healthcheck-must-gather-rhel9", "cpe" : "cpe:/a:redhat:workload_availability_nhc:0" }, { "product_name" : "OpenShift API for Data Protection", "fix_state" : "Affected", "package_name" : "oadp/oadp-mustgather-rhel9", "cpe" : "cpe:/a:redhat:openshift_api_data_protection:1" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Not affected", "package_name" : "ocp-tools-4/jenkins-agent-base-rhel9", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Not affected", "package_name" : "ocp-tools-4/jenkins-rhel8", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Not affected", "package_name" : "ocp-tools-4/jenkins-rhel9", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Affected", "package_name" : "openshift-serverless-1/kn-client-kn-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Affected", "package_name" : "openshift-serverless-1/kn-plugin-func-func-util-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/serverless-must-gather-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/istio-cni-rhel8", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/istio-must-gather-rhel9", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/pilot-rhel8", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/proxyv2-rhel9", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/istio-cni-rhel9", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/istio-must-gather-rhel9", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Not affected", "package_name" : "openshift-service-mesh/istio-pilot-rhel9", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "Power monitoring for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-power-monitoring/power-monitoring-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_power_monitoring" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/acm-must-gather-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/aap-must-gather-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/aap-must-gather-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-26/aap-must-gather-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Build of Kueue", "fix_state" : "Not affected", "package_name" : "kueue/kueue-must-gather-rhel9", "cpe" : "cpe:/a:redhat:kueue_operator:1" }, { "product_name" : "Red Hat Build of Podman Desktop", "fix_state" : "Affected", "package_name" : "podman-desktop-macos-1-0", "cpe" : "cpe:/a:redhat:podman_desktop:1" }, { "product_name" : "Red Hat Build of Podman Desktop", "fix_state" : "Affected", "package_name" : "podman-desktop-windows-1-0", "cpe" : "cpe:/a:redhat:podman_desktop:1" }, { "product_name" : "Red Hat Build of Podman Desktop - Tech Preview", "fix_state" : "Will not fix", "package_name" : "rhdesktop/rh-podman-desktop-ext-bootc-rhel10", "cpe" : "cpe:/a:redhat:podman_desktop:0" }, { "product_name" : "Red Hat Build of Podman Desktop - Tech Preview", "fix_state" : "Will not fix", "package_name" : "rhdesktop/rh-podman-desktop-ext-rhel-rhel10", "cpe" : "cpe:/a:redhat:podman_desktop:0" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "buildah", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "podman", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-cli-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-must-gather-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-minimal-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-minimal-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/rhai-cli-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/cnf-tests-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/cnf-tests-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/kube-compare-artifacts-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/lifecycle-agent-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/network-tools-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/numaresources-must-gather-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/oc-mirror-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-cli-artifacts-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-cli-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-csi-driver-shared-resource-mustgather-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-deployer-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-docker-builder", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-docker-builder-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-local-storage-mustgather-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-machine-os-images-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-must-gather-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-secrets-store-csi-mustgather-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-tests-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ose-tools-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift4/ptp-must-gather-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openshift-kni/commatrix", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Not affected", "package_name" : "odf4/mcg-core-rhel9", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Affected", "package_name" : "odf4/odf-cloudnative-pg-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Not affected", "package_name" : "odf4/odf-must-gather-rhel9", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/udi-base-rhel10", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/must-gather-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Affected", "package_name" : "rhoso-operators/prometheus-podman-exporter-rhel9", "cpe" : "cpe:/a:redhat:openstack:18.0" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Affected", "package_name" : "quay/quay-builder-rhel8", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Affected", "package_name" : "quay/quay-builder-rhel9", "cpe" : "cpe:/a:redhat:quay:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33748\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33748\nhttps://docs.docker.com/build/concepts/context/#url-fragments\nhttps://github.com/moby/buildkit/releases/tag/v0.28.1\nhttps://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg" ], "name" : "CVE-2026-33748", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }