CVE-2026-28406

CVE-2026-28406 is a path traversal vulnerability (CWE-22) affecting kaniko, a tool for building container images from a Dockerfile within a container or Kubernetes cluster. The issue impacts versions starting from 1.25.4 up to but not including 1.25.10. Kaniko unpacks build context archives using `filepath.Join(dest, cleanedName)` without ensuring the resolved path remains within the intended destination directory, allowing malicious tar entries like `../outside.txt` to escape the extraction root and write files outside it. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).

Attackers can exploit this vulnerability remotely with no privileges or user interaction required by supplying a malicious tar archive as the build context. This enables arbitrary file writes outside the extraction directory. In environments configured with registry authentication, the vulnerability can be chained with Docker credential helpers to achieve code execution within the kaniko executor process.

The fix in version 1.25.10 replaces the insecure path joining with securejoin for tar extraction path resolution. Relevant advisories and patches are detailed in the GitHub security advisory (GHSA-6rxq-q92g-4rmf), pull request #326, and commit a370e4b1f66e6e842b685c8f70ed507964c4b221 from the chainguard-forks/kaniko repository. Security practitioners should upgrade to 1.25.10 or later and validate build contexts from untrusted sources.