Kaniko allows unauthorized file writes outside build directory

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.2

Kaniko allows unauthorized file writes outside build directory

CVE-2026-28406 GHSA-6rxq-q92g-4rmf

Summary

Kaniko, a tool used for building container images, can write files to the wrong location on your system, potentially allowing unauthorized access. This issue affects versions 1.25.4 to 1.25.9. To fix this, update Kaniko to a version that uses a more secure way of handling file paths.

What to do

Update github.com chainguard-dev to version 1.25.10.

Affected software

Vendor	Product	Affected versions	Fix available
github.com	chainguard-dev	> 1.25.4 , <= 1.25.10	1.25.10
chainguard	kaniko	> 1.25.4 , <= 1.25.10	–

Original title

kaniko has tar archive path traversal in its build context extraction, allowing file writes outside destination directories

Original description

kaniko unpacks build context archives using `filepath.Join(dest, cleanedName)` without enforcing that the final path stays within `dest`. A tar entry like `../outside.txt` escapes the extraction root and writes files outside the destination directory. In environments with registry authentication, this can be chained with docker credential helpers to achieve code execution within the executor process. Affected versions >= 1.25.4, <= 1.25.9.

**Fix:** Merged with [PR #326](https://github.com/chainguard-forks/kaniko/pull/326) — uses securejoin for path resolution in tar extraction.

**Acknowledgements**

kaniko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.

nvd CVSS3.1 8.2

Vulnerability type

CWE-22 Path Traversal

Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026