Executive Summary

The vulnerability CVE-2026-42576 affects the apko tool versions prior to 1.2.7. It occurs because the DiscoverKeys function in the code unconditionally assumes that JWKS keys are RSA public keys without verifying their actual type.

If a repository JWKS endpoint returns a key that is not RSA (for example, an EC key), this unchecked type assertion causes the program to panic and crash. This impacts any workflow that initializes the APK database and fetches repository keys.

The issue has been fixed in version 1.2.7 by replacing the unchecked assertion with a guarded check that returns an error for unsupported key types instead of crashing.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the apko tool to crash unexpectedly when it encounters a non-RSA key from a repository JWKS endpoint.

Such crashes disrupt any workflows that rely on initializing the APK database and fetching repository keys, potentially causing service interruptions or failures in container image building and publishing processes.

Because the crash is triggered by a type assertion failure, it does not lead to data corruption or unauthorized access, but availability is impacted.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes the apko tool to crash (panic) when it encounters a non-RSA JWKS key during the initialization of the APK database and fetching of repository keys.

To detect this issue, monitor apko executions for unexpected crashes or panics related to key fetching operations.

Since the problem occurs during the DiscoverKeys function when a JWKS endpoint returns a non-RSA key, you can test the JWKS endpoint keys manually by querying them and inspecting their types.

• Use curl or similar tools to fetch the JWKS endpoint JSON and inspect the key types.
• Example command: curl -s https://<repository-jwks-endpoint> | jq '.keys[].kty'

If any key type other than "RSA" is present, this may trigger the vulnerability in affected apko versions.

Additionally, running apko commands that initialize the APK database and observing if they crash can help detect the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability has been patched in apko version 1.2.7 by adding guarded type assertions and error handling for unsupported key types.

Immediate mitigation steps include:

• Upgrade apko to version 1.2.7 or later where the issue is fixed.
• If upgrading is not immediately possible, avoid using repositories or JWKS endpoints that return non-RSA keys to prevent crashes.
• Monitor apko logs and workflows for crashes related to key fetching and handle such failures gracefully.

Useful 0 Not Useful 0

Compliance Impact

The provided context and resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0