CVE-2026-28406
Published: 27 February 2026
Summary
CVE-2026-28406 is a high-severity Path Traversal (CWE-22) vulnerability in Chainguard Kaniko. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the path traversal vulnerability by requiring validation of file paths in tar build contexts to ensure they remain within the intended destination directory.
Mandates timely flaw remediation by upgrading kaniko to version 1.25.10 or later, which implements secure path resolution with securejoin.
Restricts processing of untrusted or malformed build context inputs, such as malicious tar archives containing path traversal payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables remote unauthenticated exploitation of a network-accessible build tool (T1190) and arbitrary file writes to hijack credential helper execution via PATH search order (T1574.008).
NVD Description
kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives using `filepath.Join(dest, cleanedName)` without enforcing that the final path…
more
stays within `dest`. A tar entry like `../outside.txt` escapes the extraction root and writes files outside the destination directory. In environments with registry authentication, this can be chained with docker credential helpers to achieve code execution within the executor process. Version 1.25.10 uses securejoin for path resolution in tar extraction.
Deeper analysisAI
CVE-2026-28406 is a path traversal vulnerability (CWE-22) affecting kaniko, a tool for building container images from a Dockerfile within a container or Kubernetes cluster. The issue impacts versions starting from 1.25.4 up to but not including 1.25.10. Kaniko unpacks build context archives using `filepath.Join(dest, cleanedName)` without ensuring the resolved path remains within the intended destination directory, allowing malicious tar entries like `../outside.txt` to escape the extraction root and write files outside it. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).
Attackers can exploit this vulnerability remotely with no privileges or user interaction required by supplying a malicious tar archive as the build context. This enables arbitrary file writes outside the extraction directory. In environments configured with registry authentication, the vulnerability can be chained with Docker credential helpers to achieve code execution within the kaniko executor process.
The fix in version 1.25.10 replaces the insecure path joining with securejoin for tar extraction path resolution. Relevant advisories and patches are detailed in the GitHub security advisory (GHSA-6rxq-q92g-4rmf), pull request #326, and commit a370e4b1f66e6e842b685c8f70ed507964c4b221 from the chainguard-forks/kaniko repository. Security practitioners should upgrade to 1.25.10 or later and validate build contexts from untrusted sources.
Details
- CWE(s)