CVE-2026-28406
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Summary
kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives using filepath.Join(dest, cleanedName) without enforcing that the final path stays within dest. A tar entry like ../outside.txt escapes the extraction root and writes files outside the destination directory. In environments with registry authentication, this can be chained with docker credential helpers to achieve code execution within the executor process. Version 1.25.10 uses securejoin for path resolution in tar extraction.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| chainguard-forks | kaniko | >= 1.25.4, < 1.25.10 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
kaniko: kaniko: Arbitrary code execution via path traversal in build context archive unpacking
Additional References
- https://access.redhat.com/security/cve/CVE-2026-28406
- https://bugzilla.redhat.com/show_bug.cgi?id=2443462
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28406.json
References
- https://github.com/chainguard-forks/kaniko/security/advisories/GHSA-6rxq-q92g-4rmf
- https://github.com/chainguard-forks/kaniko/pull/326
- https://github.com/chainguard-forks/kaniko/commit/a370e4b1f66e6e842b685c8f70ed507964c4b221
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.