GO-2026-4580 — Vulnetix

GO-2026-4580 PUBLISHED CVSS 8.699999809265137 HIGH

kaniko has tar archive path traversal in its build context extraction, allowing file writes outside destination directories in github.com/chainguard-dev/kaniko

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
github.com	chainguard-dev/kaniko	1.25.4, 1.25.4

Timeline

Mar 10, 2026 CVE Published
Mar 23, 2026 CVE Updated
May 1, 2026 Security Advisory

References

https://github.com/chainguard-forks/kaniko/security/advisories/GHSA-6rxq-q92g-4rmf advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-28406 advisory
https://github.com/chainguard-forks/kaniko/commit/a370e4b1f66e6e842b685c8f70ed507964c4b221 url
https://github.com/chainguard-forks/kaniko/pull/326 url
https://github.com/chainguard-forks/kaniko/releases/tag/v1.25.10 url

Open in Interactive Console →