Plattform
go
Komponente
github.com/chainguard-dev/kaniko
Behoben in
1.25.5
1.25.11
1.25.10
CVE-2026-28406 describes a Path Traversal vulnerability discovered in Chainguard Kaniko, a tool for building container images from a Dockerfile. This flaw allows attackers to write files outside of the designated destination directories during the build context extraction process. Affected versions are those prior to 1.25.10. A fix has been released in version 1.25.10, mitigating this risk.
The Path Traversal vulnerability in Kaniko allows an attacker to manipulate the build process to write arbitrary files on the host system. This is achieved by crafting a malicious Dockerfile that exploits the flaw in Kaniko's context extraction logic. Successful exploitation could lead to unauthorized code execution, data exfiltration, or even complete system takeover. The blast radius extends to any system where Kaniko is used to build container images, particularly in CI/CD pipelines or automated build environments. This vulnerability shares similarities with other path traversal exploits where attackers leverage insufficient input validation to access or modify files outside of their intended scope.
CVE-2026-28406 was publicly disclosed on 2026-03-10. The vulnerability is not currently listed on CISA KEV, and there is no readily available public proof-of-concept (POC) code. The EPSS score is likely to be assessed as medium due to the potential for significant impact and the lack of public exploits, but this is pending formal evaluation.
Organizations heavily reliant on Kaniko for automated container image builds, particularly those using it within CI/CD pipelines, are at significant risk. Shared hosting environments where multiple users build images using a shared Kaniko instance are also vulnerable, as a malicious build from one user could potentially impact other users' images or the host system itself. Legacy Kaniko deployments using older versions are particularly susceptible.
• go / kaniko: Inspect build scripts and Dockerfiles for unusual file paths or references to external directories. Use go vet to scan Kaniko source code for potential path traversal vulnerabilities.
• linux / server: Monitor build logs for unexpected file creation or modification in sensitive directories. Use auditd to track file access events within the Kaniko build environment.
auditctl -w /path/to/kaniko/build/directory -p wa -k kaniko_build• generic web: If Kaniko is integrated into a web application, monitor access logs for requests containing suspicious path traversal sequences in the build context parameters.
grep '..\/' /var/log/nginx/access.logdisclosure
Exploit-Status
EPSS
0.23% (46% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28406 is to upgrade to Kaniko version 1.25.10 or later, which includes a fix for the vulnerability. If upgrading immediately is not feasible, consider implementing stricter build context validation within your CI/CD pipelines to limit the potential impact. Employing a Web Application Firewall (WAF) or reverse proxy with appropriate rules to filter out malicious file paths in the build context can provide an additional layer of defense. Carefully review and sanitize any user-provided input used in Dockerfiles to prevent attackers from injecting malicious commands.
Actualice kaniko a la versión 1.25.10 o superior. Esta versión corrige la vulnerabilidad de path traversal en la extracción del contexto de construcción, evitando la escritura de archivos fuera del directorio de destino.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28406 is a Path Traversal vulnerability in Chainguard Kaniko affecting versions before 1.25.10. It allows attackers to write files outside intended directories during image builds.
You are affected if you are using Kaniko versions prior to 1.25.10. Check your Kaniko version and upgrade immediately if vulnerable.
Upgrade to Kaniko version 1.25.10 or later. If immediate upgrade is not possible, implement stricter build context validation and consider sandboxing.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept code has been released.
Refer to the Chainguard security advisory for detailed information and updates: [https://github.com/chainguard-dev/kaniko/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory URL)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.