प्लेटफ़ॉर्म
go
घटक
github.com/chainguard-dev/kaniko
में ठीक किया गया
1.25.5
1.25.11
1.25.10
CVE-2026-28406 describes a Path Traversal vulnerability discovered in Chainguard Kaniko, a tool for building container images from a Dockerfile. This flaw allows attackers to write files outside of the designated destination directories during the build context extraction process. Affected versions are those prior to 1.25.10. A fix has been released in version 1.25.10, mitigating this risk.
The core of this vulnerability lies in Kaniko's handling of the build context. An attacker can craft a malicious build context that includes specially crafted filenames, leveraging path traversal sequences (e.g., ../) to escape the intended build directory. This allows them to write arbitrary files to locations on the host system where Kaniko is running, potentially overwriting critical system files or injecting malicious code into the image. The impact can range from denial of service (by overwriting essential files) to complete system compromise if the attacker gains write access to sensitive areas. This vulnerability is particularly concerning in CI/CD pipelines where Kaniko is used to automate image builds, as it could allow attackers to inject malicious code into production images.
CVE-2026-28406 was publicly disclosed on 2026-03-10. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively recent disclosure and lack of public exploits, the probability of exploitation is considered low to medium.
Organizations heavily reliant on Kaniko for automated container image builds, particularly those using it within CI/CD pipelines, are at significant risk. Shared hosting environments where multiple users build images using a shared Kaniko instance are also vulnerable, as a malicious build from one user could potentially impact other users' images or the host system itself. Legacy Kaniko deployments using older versions are particularly susceptible.
• go / kaniko: Inspect build scripts and Dockerfiles for unusual file paths or references to external directories. Use go vet to scan Kaniko source code for potential path traversal vulnerabilities.
• linux / server: Monitor build logs for unexpected file creation or modification in sensitive directories. Use auditd to track file access events within the Kaniko build environment.
auditctl -w /path/to/kaniko/build/directory -p wa -k kaniko_build• generic web: If Kaniko is integrated into a web application, monitor access logs for requests containing suspicious path traversal sequences in the build context parameters.
grep '..\/' /var/log/nginx/access.logdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.23% (46% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-28406 is to upgrade to Kaniko version 1.25.10 or later. If an immediate upgrade is not feasible due to compatibility issues, consider implementing stricter build context validation. This could involve whitelisting allowed files and directories within the build context, preventing the inclusion of potentially malicious files. Additionally, running Kaniko in a sandboxed environment with limited file system access can reduce the potential impact of a successful exploit. Monitor build processes for unexpected file modifications and consider implementing a WAF or proxy to inspect build requests for suspicious path traversal patterns. After upgrading, confirm the fix by attempting a build with a malicious context containing path traversal sequences; the build should fail with an appropriate error.
Actualice kaniko a la versión 1.25.10 o superior. Esta versión corrige la vulnerabilidad de path traversal en la extracción del contexto de construcción, evitando la escritura de archivos fuera del directorio de destino.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-28406 is a Path Traversal vulnerability in Chainguard Kaniko affecting versions before 1.25.10. It allows attackers to write files outside intended directories during image builds.
You are affected if you are using Kaniko versions prior to 1.25.10. Check your Kaniko version and upgrade immediately if vulnerable.
Upgrade to Kaniko version 1.25.10 or later. If immediate upgrade is not possible, implement stricter build context validation and consider sandboxing.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept code has been released.
Refer to the Chainguard security advisory for detailed information and updates: [https://github.com/chainguard-dev/kaniko/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory URL)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी go.mod फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।