CVE-2026-42575— apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42575
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
Source: NVD (National Vulnerability Database)
Vulnerability Description
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对数据真实性的验证不充分
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| chainguard-dev | apko | < 1.2.7 | - |
II. Public POCs for CVE-2026-42575
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42575
请登录查看更多情报信息。
- Release Release v1.2.7 · chainguard-dev/apko · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42575
Same Patch Batch · chainguard-dev · 2026-05-09 · 3 CVEs total
| CVE-2026-42574 | 7.5 HIGH | apko dirFS has a symlink-following path traversal that allows multiple entry points to esc |
| CVE-2026-42576 | 6.5 MEDIUM | apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery |
IV. Related Vulnerabilities
Same product: apko
- CVE-2026-42576
apko `DiscoverKeys` has a panic on non-rsa jwks key that cau - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow - CVE-2026-25140
apko affected by potential unbounded resource consumption in - CVE-2026-25121
apko is vulnerable to path traversal in apko dirFS which all - CVE-2026-25122
apko is vulnerable to unbounded resource consumption in expa
Same vendor: chainguard-dev
- CVE-2026-42576
apko `DiscoverKeys` has a panic on non-rsa jwks key that cau - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow - CVE-2026-29051
melange has Path Traversal via .PKGINFO in --persist-lint-re - CVE-2026-29050
melange has Path Traversal When Resolving External Pipelines - CVE-2026-29049
melange: unbounded HTTP download in `melange update-cache` c
Same weakness: CWE-345
- CVE-2026-41432
New API: Stripe Webhook Signature Bypass via Empty Secret En - CVE-2026-42206
Roadiz OpenID Connect nonce generated but never validated — - CVE-2026-31835
Vaultwarden WebAuthn credential metadata tampered before sig - CVE-2026-43534
OpenClaw < 2026.4.10 - Unsanitized External Input in Agent H - CVE-2026-7611
TRENDnet TEW-821DAP Firmware Update cameo_dev.sh platform_do
V. Comments for CVE-2026-42575
No comments yet