PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28406 Chainguard CVE debrief

CVE-2026-28406 is a high-severity vulnerability in Kaniko, a tool for building container images from a Dockerfile within a container or Kubernetes cluster. The issue, which exists from version 1.25.4 up to but not including 1.25.10, arises from Kaniko's insecure handling of tar entries during the extraction of build context archives. Specifically, the use of `filepath.Join(dest, cleanedName)` without proper path resolution allows a tar entry like `../outside.txt` to escape the extraction root, potentially writing files outside the intended destination directory. In environments where registry authentication is used, this vulnerability can be exploited in conjunction with Docker credential helpers to achieve code execution within the executor process. The vulnerability has been addressed in version 1.25.10, which utilizes securejoin for path resolution during tar extraction, effectively mitigating the issue.

Vendor
Chainguard
Product
Kaniko
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-27
Original CVE updated
2026-06-30
Advisory published
2026-02-27
Advisory updated
2026-06-30

Who should care

This vulnerability should be of concern to organizations and individuals using Kaniko for building container images, especially those operating in environments with registry authentication. The potential for code execution within the executor process makes it critical for users of affected versions (1.25.4 to 1.25.9) to update to version 1.25.10 or apply appropriate mitigations.

Technical summary

The vulnerability in Kaniko (CVE-2026-28406) stems from the insecure use of `filepath.Join(dest, cleanedName)` for handling tar entries during build context archive extraction. This allows for path traversal, enabling an attacker to write files outside the extraction directory. The CVSS score for this vulnerability is 8.2, indicating a high severity level. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L, highlighting the network-exploitable nature and potential for high impact. CWE-22 (Path Traversal) is associated with this vulnerability.

Defensive priority

Given the high severity and potential for code execution, defensive priority should be placed on updating Kaniko to version 1.25.10 or applying compensating controls to mitigate the risk of path traversal and unauthorized code execution.

Recommended defensive actions

  • Update Kaniko to version 1.25.10 or later to ensure secure path resolution during tar extraction.
  • Implement compensating controls such as enhanced monitoring and authentication mechanisms for container build processes.
  • Review and restrict access to Kaniko and related resources to minimize exploitation risk.
  • Apply Docker credential helper security best practices to reduce the attack surface.
  • Regularly audit and update container build environments to ensure compliance with security policies.

Evidence notes

The CVE-2026-28406 vulnerability details were obtained from the NVD and CVE.org records. The information provided indicates a high severity vulnerability in Kaniko versions 1.25.4 through 1.25.9. Evidence from the source item and related references supports the existence and impact of this vulnerability.

Official resources

This CVE debrief is AI-assisted and based on the supplied source corpus.