CVE-2026-42574— apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42574
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root
Source: NVD (National Vulnerability Database)
Vulnerability Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| chainguard-dev | apko | >= 0.14.8, < 1.2.5 | - |
II. Public POCs for CVE-2026-42574
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42574
请登录查看更多情报信息。
- Release Release v1.2.5 · chainguard-dev/apko · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42574
Same Patch Batch · chainguard-dev · 2026-05-09 · 3 CVEs total
| CVE-2026-42575 | 7.5 HIGH | apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitutio |
| CVE-2026-42576 | 6.5 MEDIUM | apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery |
IV. Related Vulnerabilities
Same product: apko
- CVE-2026-42576
apko `DiscoverKeys` has a panic on non-rsa jwks key that cau - CVE-2026-42575
apko doesn't verify downloaded apk packages against APKINDEX - CVE-2026-25140
apko affected by potential unbounded resource consumption in - CVE-2026-25121
apko is vulnerable to path traversal in apko dirFS which all - CVE-2026-25122
apko is vulnerable to unbounded resource consumption in expa
Same vendor: chainguard-dev
- CVE-2026-42576
apko `DiscoverKeys` has a panic on non-rsa jwks key that cau - CVE-2026-42575
apko doesn't verify downloaded apk packages against APKINDEX - CVE-2026-29051
melange has Path Traversal via .PKGINFO in --persist-lint-re - CVE-2026-29050
melange has Path Traversal When Resolving External Pipelines - CVE-2026-29049
melange: unbounded HTTP download in `melange update-cache` c
Same weakness: CWE-22
- CVE-2026-8274
npitre cramfs-tools Directory cramfsck.c do_directory path t - CVE-2022-50956
WordPress Plugin amministrazione-aperta 3.7.3 Local File Rea - CVE-2026-8215
Industrial Application Software IAS Canias ERP RMI iasReques - CVE-2026-42605
AzuraCast: Path Traversal in `currentDirectory` Parameter En - CVE-2026-42351
pygeoapi: Path Traversal in STAC FileSystemProvider
V. Comments for CVE-2026-42574
No comments yet