Description
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.
Published: 2026-05-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in apko versions earlier than 1.2.7 stems from a missing verification step for individual .apk packages. While the APKINDEX tarball is signed, the installer never compares the checksum of each downloaded package against the value recorded in the signed index. This oversight allows an attacker controlling the package source—be it a compromised mirror, an HTTP repository, or a poisoned CDN cache—to substitute a malicious package without detection. If the build process is fed such a package, the resulting OCI image will contain arbitrary code, effectively enabling the attacker to tamper with the image’s contents and potentially execute malicious binaries when the image is later used.

Affected Systems

The affected product is Chainguard apko, a tool for creating OCI container images from apk packages. All releases before version 1.2.7 are impacted; the patch was introduced in release v1.2.7.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. EPSS data is not available, so the current exploitation probability is unknown, but the vulnerability is not listed in the CISA KEV catalog. An attacker only needs the ability to intercept or influence the package download path, which can be achieved remotely through a compromised mirror or CDN. Once the build in a trusted environment is attacked, the embedded malicious code will propagate with the newly built image, leading to widespread compromise if the image is deployed.

Generated by OpenCVE AI on May 9, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade apko to version 1.2.7 or newer to enable checksum verification for each .apk package.
  • If upgrading is not feasible, deploy a trusted internal package mirror and configure apko to use this mirror so that package downloads are controlled and verified.
  • As a temporary measure, manually compute the checksum of each downloaded .apk and compare it with the value recorded in APKINDEX.tar.gz before proceeding with the build, using an independent tool or script.

Generated by OpenCVE AI on May 9, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hcwr-pq9g-rq3m apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
History

Sat, 09 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev apko
Vendors & Products Chainguard-dev
Chainguard-dev apko

Sat, 09 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.
Title apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
Weaknesses CWE-345
CWE-494
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Chainguard-dev Apko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:26:27.415Z

Reserved: 2026-04-28T17:26:12.085Z

Link: CVE-2026-42575

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:29.573

Modified: 2026-05-09T20:16:29.573

Link: CVE-2026-42575

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T20:30:41Z

Weaknesses