CVE-2026-28406: kaniko has tar archive path traversal in its build context extraction, allowing file writes outside destination directories
kaniko unpacks build context archives using filepath.Join(dest, cleanedName) without enforcing that the final path stays within dest. A tar entry like ../outside.txt escapes the extraction root and writes files outside the destination directory. In environments with registry authentication, this can be chained with docker credential helpers to achieve code execution within the executor process. Affected versions >= 1.25.4, <= 1.25.9.
Fix: Merged with PR #326 — uses securejoin for path resolution in tar extraction.
Acknowledgements
kaniko thanks Oleh Konko from 1seal for discovering and reporting this issue.
References
- github.com/advisories/GHSA-6rxq-q92g-4rmf
- github.com/chainguard-forks/kaniko
- github.com/chainguard-forks/kaniko/commit/a370e4b1f66e6e842b685c8f70ed507964c4b221
- github.com/chainguard-forks/kaniko/pull/326
- github.com/chainguard-forks/kaniko/releases/tag/v1.25.10
- github.com/chainguard-forks/kaniko/security/advisories/GHSA-6rxq-q92g-4rmf
- nvd.nist.gov/vuln/detail/CVE-2026-28406
Code Behaviors & Features
Detect and mitigate CVE-2026-28406 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →