Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 3d013d0ece77 · 2026-03-26T18:29:21.000Z
GHSA-4c29-8rgm-jvjj GHSA-4vrq-3vrq-g6gg GHSA-qfc3-hm4j-7q77
diff --git a/advisories/github-reviewed/2026/03/GHSA-4c29-8rgm-jvjj/GHSA-4c29-8rgm-jvjj.json b/advisories/github-reviewed/2026/03/GHSA-4c29-8rgm-jvjj/GHSA-4c29-8rgm-jvjj.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4c29-8rgm-jvjj",
+  "modified": "2026-03-26T18:26:09Z",
+  "published": "2026-03-26T18:26:09Z",
+  "aliases": [
+    "CVE-2026-33747"
+  ],
+  "summary": "BuildKit's Malicious frontend can cause file escape outside of storage root",
+  "details": "### Impact\nWhen using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context.\n\n### Patches\nThe issue has been fixed in v0.28.1+\n\n### Workarounds\nIssue requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/moby/buildkit"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.28.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/moby/buildkit"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T18:26:09Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-4vrq-3vrq-g6gg/GHSA-4vrq-3vrq-g6gg.json b/advisories/github-reviewed/2026/03/GHSA-4vrq-3vrq-g6gg/GHSA-4vrq-3vrq-g6gg.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4vrq-3vrq-g6gg",
+  "modified": "2026-03-26T18:27:49Z",
+  "published": "2026-03-26T18:27:49Z",
+  "aliases": [
+    "CVE-2026-33748"
+  ],
+  "summary": "BuildKit Git URL subdir component can cause access to restricted files",
+  "details": "### Impact\nInsufficient validation of Git URL fragment subdir components (`<url>#<ref>:<subdir>`, [docs](https://docs.docker.com/build/concepts/context/#url-fragments)) may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem.\n\n### Patches\nThe issue has been fixed in version v0.28.1\n\n### Workarounds\nThe issue affects only builds that use Git URLs with a subpath component. Avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/moby/buildkit"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.28.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.docker.com/build/concepts/context/#url-fragments"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/moby/buildkit"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22",
+      "CWE-59"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T18:27:49Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-qfc3-hm4j-7q77/GHSA-qfc3-hm4j-7q77.json b/advisories/github-reviewed/2026/03/GHSA-qfc3-hm4j-7q77/GHSA-qfc3-hm4j-7q77.json
@@ -0,0 +1,106 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qfc3-hm4j-7q77",
+  "modified": "2026-03-26T18:28:44Z",
+  "published": "2026-03-26T18:28:44Z",
+  "aliases": [
+    "CVE-2026-33749"
+  ],
+  "summary": "n8n Vulnerable to XSS via Binary Data Inline HTML Rendering",
+  "details": "## Impact\nAn authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The `/rest/binary-data` endpoint served such responses inline on the n8n origin without `Content-Disposition` or `Content-Security-Policy` headers, allowing the HTML to render in the browser with full same-origin JavaScript access.\n\nBy sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim's authenticated session, enabling exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Restrict network access to the n8n instance to prevent untrusted users from accessing binary data URLs.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "n8n"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.123.27"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "n8n"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.14.0"
+            },
+            {
+              "fixed": "2.14.1"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "2.14.0"
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "n8n"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.0-rc.0"
+            },
+            {
+              "fixed": "2.13.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-qfc3-hm4j-7q77"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33749"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/n8n-io/n8n"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T18:28:44Z",
+    "nvd_published_at": "2026-03-25T19:16:51Z"
+  }
+}
