CVE-2026-28406

Name of the Vulnerable Software and Affected Versions kaniko versions 1.25.4 through 1.25.9

Description kaniko is a tool used to build container images from a Dockerfile within a container or Kubernetes cluster. Versions from 1.25.4 up to, but not including, 1.25.10 improperly handle the extraction of build context archives. Specifically, the function filepath.Join(dest, cleanedName) does not adequately restrict the extracted files to the intended destination directory (dest). This allows a malicious archive to include entries like ../outside.txt which can escape the extraction root and write files outside the designated directory. In environments where registry authentication is enabled, this can potentially lead to code execution within the kaniko executor process by chaining this issue with docker credential helpers.

Recommendations Update to kaniko version 1.25.10 or later.