CVE-2026-42574
Received Received - Intake
Symlink Traversal in apko Container Image Builder

Publication date: 2026-05-09

Last updated on: 2026-05-09

Assigner: GitHub, Inc.

Description
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-09
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42574
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
chainguard-dev apko From 0.14.8 (inc) to 1.2.5 (exc)
chainguard-dev apko 1.2.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42574 is a high-severity vulnerability in the apko tool versions from 0.14.8 up to but not including 1.2.5. The issue arises because a crafted .apk file can include a TypeSymlink tar entry that points outside the intended build root directory. This symlink can then be exploited by subsequent directory creation or file write operations within the same or later archive to traverse the symlink and access host system paths that the build user can write to.

The root cause is that the path sanitization function only blocked lexical ".." traversal but did not handle symlinks properly. As a result, multiple filesystem operations that follow symlinks could be tricked into escaping the build root. This vulnerability allows unauthorized modification of files outside the build environment.

The issue was fixed in apko version 1.2.5 by routing all filesystem operations through Go 1.24's os.Root, which inherently blocks symlink traversal and prevents escaping the root directory.

Impact Analysis

This vulnerability can impact you by allowing an attacker to modify files outside the intended build environment without authorization. Specifically, a malicious .apk package can exploit the symlink traversal flaw to write to arbitrary host paths that the build user has write permissions for.

The impact is primarily on data integrity, as unauthorized modifications can be made to files on the host system. The vulnerability has a high severity score (CVSS 7.5) with low attack complexity, no privileges required, and no user interaction needed, making it relatively easy to exploit.

There is no complete workaround other than upgrading to apko version 1.2.5 or later. Using only signed APKs from trusted sources can reduce but not eliminate the risk.

Detection Guidance

There is no specific detection method or commands provided in the available information to identify exploitation of this vulnerability on your network or system.

Mitigation Strategies

The primary mitigation step is to upgrade the apko tool to version 1.2.5 or later, where the vulnerability has been fixed by routing filesystem operations through Go 1.24's os.Root, which blocks symlink traversal and path escapes.

There is no complete workaround other than upgrading. Consuming only signed APK packages from trusted sources can reduce exposure but does not eliminate the risk.

Compliance Impact

The vulnerability in apko allows crafted .apk files to perform path traversal via symlinks, enabling unauthorized modification of host paths writable by the build user. This primarily impacts data integrity by allowing unauthorized changes to files during the build process.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for unauthorized modification of files could potentially lead to violations of data integrity requirements mandated by these regulations if sensitive data or systems are affected.

Organizations relying on apko for building container images should upgrade to version 1.2.5 or later to mitigate this risk and help maintain compliance with data protection standards that require safeguarding against unauthorized data modification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42574. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart