Description
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7.
Published: 2026-05-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DiscoverKeys in apko unconditionally type‑asserts JWKS keys as RSA public keys without verifying the key type. If a repository JWKS endpoint supplies a non‑RSA key such as EC, the assertion fails, causing a panic and crashing apko. The crash occurs during initialization of the APK database and repository key fetching, leading to a denial of service for any process that uses apko. The weakness is classified as CWE‑704.

Affected Systems

Vendors: chainguard‑dev. Product: apko. Affected versions: any release prior to v1.2.7. The critical failure occurs in the DiscoverKeys component, which is used during image build and publication workflows that rely on APK package repositories.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating a moderate severity. No EPSS score is reported, so the likelihood of exploitation is not quantified, and vulnerability is not listed in CISA KEV. Because the failure happens during repository key discovery, an attacker would need to control or manipulate a repository or hijack a JWKS endpoint to supply a non‑RSA key. If successful, the attacker can cause apko to crash, resulting in interruption of image build or deployment services. The attack vector is likely remote, via crafted JWKS data at a trusted repository endpoint.

Generated by OpenCVE AI on May 9, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade apko to version 1.2.7 or later to apply the fix that checks key types before use.
  • If upgrading is not feasible, modify the DiscoverKeys logic to validate the key type or limit the JWKS endpoint to RSA keys only; alternatively, configure the repository to use RSA keys.
  • Monitor apko logs for panic events or crashes during image build and ensure that the process remains stable.

Generated by OpenCVE AI on May 9, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m7hm-vm4x-28jf apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery
History

Sat, 09 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Chainguard-dev
Chainguard-dev apko
Vendors & Products Chainguard-dev
Chainguard-dev apko

Sat, 09 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7.
Title apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery
Weaknesses CWE-704
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Chainguard-dev Apko
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:26:56.224Z

Reserved: 2026-04-28T17:26:12.085Z

Link: CVE-2026-42576

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:29.717

Modified: 2026-05-09T20:16:29.717

Link: CVE-2026-42576

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T20:30:41Z

Weaknesses