Platform
go
Component
github.com/chainguard-dev/kaniko
Fixed in
1.25.5
1.25.11
1.25.10
CVE-2026-28406 describes a Path Traversal vulnerability discovered in Chainguard Kaniko, a tool for building container images from a Dockerfile. This flaw allows attackers to write files outside of the designated destination directories during the build context extraction process. Affected versions are those prior to 1.25.10. A fix has been released in version 1.25.10, mitigating this risk.
The core of this vulnerability lies in Kaniko's handling of the build context. An attacker can craft a malicious build context that includes specially crafted filenames, leveraging path traversal sequences (e.g., ../) to escape the intended build directory. This allows them to write arbitrary files to locations on the host system where Kaniko is running, potentially overwriting critical system files or injecting malicious code into the image. The impact can range from denial of service (by overwriting essential files) to complete system compromise if the attacker gains write access to sensitive areas. This vulnerability is particularly concerning in CI/CD pipelines where Kaniko is used to automate image builds, as it could allow attackers to inject malicious code into production images.
CVE-2026-28406 was publicly disclosed on 2026-03-10. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively recent disclosure and lack of public exploits, the probability of exploitation is considered low to medium.
Exploit Status
EPSS
0.23% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28406 is to upgrade to Kaniko version 1.25.10 or later. If an immediate upgrade is not feasible due to compatibility issues, consider implementing stricter build context validation. This could involve whitelisting allowed files and directories within the build context, preventing the inclusion of potentially malicious files. Additionally, running Kaniko in a sandboxed environment with limited file system access can reduce the potential impact of a successful exploit. Monitor build processes for unexpected file modifications and consider implementing a WAF or proxy to inspect build requests for suspicious path traversal patterns. After upgrading, confirm the fix by attempting a build with a malicious context containing path traversal sequences; the build should fail with an appropriate error.
Actualice kaniko a la versión 1.25.10 o superior. Esta versión corrige la vulnerabilidad de path traversal en la extracción del contexto de construcción, evitando la escritura de archivos fuera del directorio de destino.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28406 is a Path Traversal vulnerability in Chainguard Kaniko affecting versions before 1.25.10. It allows attackers to write files outside intended directories during image builds.
You are affected if you are using Kaniko versions prior to 1.25.10. Check your Kaniko version and upgrade immediately if vulnerable.
Upgrade to Kaniko version 1.25.10 or later. If immediate upgrade is not possible, implement stricter build context validation and consider sandboxing.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept code has been released.
Refer to the Chainguard security advisory for detailed information and updates: [https://github.com/chainguard-dev/kaniko/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory URL)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.