Kaniko is a widely used tool for building container images from Dockerfiles within containerized or Kubernetes environments. The vulnerability CVE-2026-28406 is a path traversal flaw (CWE-22) affecting kaniko versions from 1.25.4 up to but not including 1.25.10. The root cause is the insecure handling of tar archive extraction paths during the unpacking of build context archives. Kaniko uses the function filepath.Join(dest, cleanedName) to determine extraction paths but fails to enforce that the final resolved path remains within the intended destination directory. This allows a maliciously crafted tar entry containing relative path components such as '../' to escape the extraction root directory and write files arbitrarily on the host filesystem or container filesystem. In scenarios where kaniko is used with registry authentication, this path traversal can be chained with docker credential helpers, potentially leading to arbitrary code execution within the kaniko executor process. This elevates the risk from mere file overwrite to full compromise of the build environment. The vulnerability does not require any authentication or user interaction to exploit and can be triggered remotely by supplying a malicious build context archive. The issue was addressed in kaniko version 1.25.10 by switching to securejoin, a secure path resolution library that prevents directory traversal by ensuring the extraction path stays within the intended directory. No known exploits in the wild have been reported yet, but the high CVSS score of 8.2 indicates a significant risk if exploited.

The impact of CVE-2026-28406 is substantial for organizations using kaniko to build container images, especially in automated CI/CD pipelines and Kubernetes environments. Exploitation can lead to unauthorized file writes outside the intended directory, potentially overwriting critical files or injecting malicious payloads. When combined with docker credential helpers in authenticated registry environments, attackers can achieve arbitrary code execution within the build executor process. This compromises the integrity of container images, allowing attackers to insert backdoors or malware that propagate downstream to production environments. The availability impact is low but the integrity impact is high, as attackers can manipulate build artifacts and potentially gain persistent footholds. Organizations relying on kaniko for secure container builds face risks of supply chain attacks, unauthorized access to sensitive credentials, and disruption of trusted build processes. The vulnerability affects all deployments using vulnerable kaniko versions, regardless of platform, increasing the global risk footprint.

To mitigate this vulnerability, organizations should immediately upgrade kaniko to version 1.25.10 or later, where the issue is fixed by using secure path resolution. Until the upgrade is possible, restrict the sources of build context archives to trusted origins only and implement strict validation of build inputs to detect and block malicious tar entries containing path traversal sequences. Employ runtime security controls such as container filesystem integrity monitoring and least privilege execution for kaniko processes to limit the impact of potential exploitation. Additionally, isolate build environments and avoid sharing sensitive credentials or docker credential helpers in the same context as kaniko builds. Implement network segmentation and monitoring to detect anomalous behavior during build processes. Regularly audit and review container build pipelines for suspicious activity and ensure that all dependencies and tools are kept up to date with security patches.