DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28406: Kaniko Build Context Path Traversal via Unsafe Tar Extraction

#security #cve #cybersecurity

Kaniko Build Context Path Traversal via Unsafe Tar Extraction

Vulnerability ID: CVE-2026-28406
CVSS Score: 8.2
Published: 2026-03-01

A high-severity path traversal vulnerability exists in the Kaniko container image builder, specifically within the chainguard-forks/kaniko distribution. The vulnerability resides in the build context extraction logic, where the application fails to properly validate tar archive entries before writing them to the filesystem. By crafting a malicious tarball containing files with relative path sequences (e.g., ../../), an attacker can escape the intended extraction directory. This allows for arbitrary file writes on the container filesystem, which can potentially lead to Remote Code Execution (RCE) by overwriting system binaries or credential helpers used during the build process.

TL;DR

Kaniko versions 1.25.4 through 1.25.9 contain a path traversal flaw (CWE-22) during build context unpacking. Attackers can provide a malicious tar archive to overwrite arbitrary files in the container, leading to potential RCE.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network (Context Injection)
  • CVSS v3.1: 8.2 (High)
  • EPSS Score: 0.12%
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Kaniko (chainguard-forks distribution)
  • CI/CD Pipelines using Kaniko
  • Kubernetes Build Pods
  • kaniko: >= 1.25.4, < 1.25.10 (Fixed in: 1.25.10)

Code Analysis

Commit: a370e4b

Fix CVE-2026-28406: Use securejoin and validate tar paths

func UnpackCompressedTar(...) {
- path := filepath.Join(dest, cleanedName)
+ path, err := securejoin.SecureJoin(dest, cleanedName)
}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Exploit methodology described in GHSA advisory involving relative paths in tar headers.

Mitigation Strategies

  • Software Upgrade
  • Input Validation
  • Least Privilege

Remediation Steps:

  1. Upgrade the Kaniko image in your CI/CD pipeline to version v1.25.10 or later immediately.
  2. If using chainguard-forks/kaniko, pull the latest digest associated with the patched release.
  3. Verify that build contexts originate from trusted sources.
  4. Implement File Integrity Monitoring (FIM) in the build environment to detect unauthorized modifications to system binaries.

References

Read the full report for CVE-2026-28406 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)