CVE-2026-42575
Received Received - Intake
Signature Verification Bypass in apko OCI Image Builder

Publication date: 2026-05-09

Last updated on: 2026-05-09

Assigner: GitHub, Inc.

Description
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-09
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42575
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chainguard-dev apko to 1.2.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to substitute arbitrary packages into built OCI container images by exploiting insufficient verification of package integrity. Such unauthorized code insertion can lead to compromised software supply chains and potentially introduce malicious code into production environments.

While the provided context and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to inject unauthorized code could indirectly impact compliance by undermining the integrity and security of software systems that handle sensitive data.

Organizations subject to regulations requiring strict data integrity and security controls might find this vulnerability relevant, as it represents a risk to the authenticity and trustworthiness of software components, which could affect compliance with such standards.

Executive Summary

The vulnerability in apko involves the failure to verify downloaded APK packages against the checksums recorded in the signed APKINDEX.tar.gz file. While apko verifies the signature of the APKINDEX file itself, it does not compare the checksum of each individually downloaded .apk package with the expected checksum from the signed index. This means that mismatched or tampered packages are silently accepted.

An attacker who can intercept or manipulate download responsesβ€”such as through a compromised mirror, an HTTP repository, or a poisoned CDN cacheβ€”can substitute arbitrary packages into the built OCI container images without detection. This allows the attacker to inject malicious packages into images built using vulnerable versions of apko (prior to version 1.2.7).

Impact Analysis

This vulnerability can lead to the installation of arbitrary and potentially malicious packages into OCI container images built with apko. Since the package checksums are not verified, attackers can substitute compromised packages during the download process.

The impact includes the risk of introducing malicious code into container images, which can compromise the security and integrity of applications and systems that deploy these images. This can lead to unauthorized code execution, data manipulation, or other security breaches.

Detection Guidance

This vulnerability involves apko not verifying downloaded APK packages against the checksums recorded in the signed APKINDEX.tar.gz file prior to version 1.2.7. Detection involves verifying whether the apko version in use is prior to 1.2.7 and checking if package control hashes are being validated during image builds.

Since the vulnerability is related to checksum verification of downloaded packages, one way to detect exploitation is to monitor or audit the integrity of built OCI images by comparing package hashes against the signed APKINDEX checksums.

Specific commands to detect this vulnerability are not provided in the available resources. However, general steps include:

  • Check the installed apko version with a command like `apko --version` or inspecting the binary version.
  • Review build logs or scripts to confirm if checksum verification is performed during package downloads.
  • Manually verify package checksums by extracting APKINDEX.tar.gz and comparing the checksums of downloaded .apk packages against those recorded in the index.
  • Use network monitoring tools to detect suspicious package downloads from untrusted mirrors or HTTP repositories.
Mitigation Strategies

The primary mitigation step is to upgrade apko to version 1.2.7 or later, where the vulnerability has been fixed by implementing verification of package control hashes against the signed APKINDEX.

Until the upgrade can be applied, avoid using untrusted mirrors, HTTP repositories, or CDN caches that could be compromised to substitute malicious packages.

Additionally, consider auditing existing OCI images built with vulnerable apko versions for unexpected or unauthorized packages.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42575. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart