PatchSiren cyber security CVE debrief
CVE-2026-28406 Chainguard CVE debrief
CVE-2026-28406 is a high-severity vulnerability in Kaniko, a tool for building container images from a Dockerfile within a container or Kubernetes cluster. The issue, which exists from version 1.25.4 up to but not including 1.25.10, arises from Kaniko's insecure handling of tar entries during the extraction of build context archives. Specifically, the use of `filepath.Join(dest, cleanedName)` without proper path resolution allows a tar entry like `../outside.txt` to escape the extraction root, potentially writing files outside the intended destination directory. In environments where registry authentication is used, this vulnerability can be exploited in conjunction with Docker credential helpers to achieve code execution within the executor process. The vulnerability has been addressed in version 1.25.10, which utilizes securejoin for path resolution during tar extraction, effectively mitigating the issue.
- Vendor
- Chainguard
- Product
- Kaniko
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-27
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-27
- Advisory updated
- 2026-06-30
Who should care
This vulnerability should be of concern to organizations and individuals using Kaniko for building container images, especially those operating in environments with registry authentication. The potential for code execution within the executor process makes it critical for users of affected versions (1.25.4 to 1.25.9) to update to version 1.25.10 or apply appropriate mitigations.
Technical summary
The vulnerability in Kaniko (CVE-2026-28406) stems from the insecure use of `filepath.Join(dest, cleanedName)` for handling tar entries during build context archive extraction. This allows for path traversal, enabling an attacker to write files outside the extraction directory. The CVSS score for this vulnerability is 8.2, indicating a high severity level. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L, highlighting the network-exploitable nature and potential for high impact. CWE-22 (Path Traversal) is associated with this vulnerability.
Defensive priority
Given the high severity and potential for code execution, defensive priority should be placed on updating Kaniko to version 1.25.10 or applying compensating controls to mitigate the risk of path traversal and unauthorized code execution.
Recommended defensive actions
- Update Kaniko to version 1.25.10 or later to ensure secure path resolution during tar extraction.
- Implement compensating controls such as enhanced monitoring and authentication mechanisms for container build processes.
- Review and restrict access to Kaniko and related resources to minimize exploitation risk.
- Apply Docker credential helper security best practices to reduce the attack surface.
- Regularly audit and update container build environments to ensure compliance with security policies.
Evidence notes
The CVE-2026-28406 vulnerability details were obtained from the NVD and CVE.org records. The information provided indicates a high severity vulnerability in Kaniko versions 1.25.4 through 1.25.9. Evidence from the source item and related references supports the existence and impact of this vulnerability.
Official resources
-
CVE-2026-28406 CVE record
CVE.org
-
CVE-2026-28406 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This CVE debrief is AI-assisted and based on the supplied source corpus.