CVE-2023-26054
CVE-2023-26054 is a medium-severity vulnerability in Mobyproject Buildkit with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-200.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 1% (59th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-200
- Affected product: Mobyproject Buildkit
- Published:
- Last modified:
Description
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In affected versions when the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1) Invoking build directly from a URL with credentials. 2) If the client sends additional version control system (VCS) info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file. When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation. Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable. In v0.10, when building directly from Git URL, the same URL could be visible in `BuildInfo` structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable. This bug has been fixed in v0.11.4. Users are advised to upgrade. Users unable to upgrade may disable VCS info hints by setting `BUILDX_GIT_INFO=0`. `buildctl` does not set VCS hints based on `.git` directory, and values would need to be passed manually with `--opt`.
Frequently asked questions
- What is CVE-2023-26054?
- BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In affected versions when the user sends a build request that contains a Git URL that contains credentials and the build creates a provenance attestation describing that build, these credentials could be visible from the provenance attestation. Git URL can be passed in two ways: 1) Invoking build directly from a URL with credentials. 2) If the client sends additional version control system (VCS) info hint parameters on builds from a local source. Usually, that would mean reading the origin URL from `.git/config` file. When a build is performed under specific conditions where credentials were passed to BuildKit they may be visible to everyone who has access to provenance attestation. Provenance attestations and VCS info hints were added in version v0.11.0. Previous versions are not vulnerable. In v0.10, when building directly from Git URL, the same URL could be visible in `BuildInfo` structure that is a predecessor of Provenance attestations. Previous versions are not vulnerable. This bug has been fixed in v0.11.4. Users are advised to upgrade. Users unable to upgrade may disable VCS info hints by setting `BUILDX_GIT_INFO=0`. `buildctl` does not set VCS hints based on `.git` directory, and values would need to be passed manually with `--opt`.
- How severe is CVE-2023-26054?
- CVE-2023-26054 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2023-26054 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (59th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-26054?
- CVE-2023-26054 affects Mobyproject Buildkit. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-26054?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-26054 published?
- CVE-2023-26054 was published on 2023-03-06 and last updated on 2026-06-17.
References
- https://github.com/moby/buildkit/commit/75123c696506bdbca1ed69906479e200f1b62604
- https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc
- https://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
Affected products (1)
- cpe:2.3:a:mobyproject:buildkit:*:*:*:*:*:*:*:*
More vulnerabilities in Mobyproject Buildkit
- CVE-2024-23652 — Critical (CVSS 10.0): BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.…
- CVE-2024-23653 — Critical (CVSS 9.8): BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.…
- CVE-2024-23651 — High (CVSS 8.7): BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.…
- CVE-2026-33747 — High (CVSS 8.4): BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.…
- CVE-2026-33748 — High (CVSS 7.5): BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.…
- CVE-2024-23650 — Medium (CVSS 5.3): BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.…
All CVEs affecting Mobyproject Buildkit →
Other CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerabilities
- CVE-2026-27604 — Critical (CVSS 10.0): FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version…
- CVE-2026-40965 — Critical (CVSS 10.0): Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a…
- CVE-2026-42826 — Critical (CVSS 10.0): Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose…
- CVE-2025-29270 — Critical (CVSS 10.0): Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows…
- CVE-2025-61481 — Critical (CVSS 10.0): An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by…
- CVE-2025-53624 — Critical (CVSS 10.0): The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user.…
Browse all CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerabilities →