CVE-2026-42575
HIGH7.5EPSS 0.02%apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)
Description
apko verifies the signature on `APKINDEX.tar.gz` but never compares individually downloaded `.apk` packages against the checksum recorded in the signed index. The checksum is parsed and available via `ChecksumString()`, and the downloaded package control hash is computed, but the two values are never compared in `getPackageImpl()`. Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. **Fix:** No fix available yet. **Acknowledgements** apko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.
Affected packages (1)
- Go/chainguard.dev/apkofrom 0, < 1.2.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-42575
- PATCHhttps://github.com/chainguard-dev/apko
- WEBhttps://github.com/chainguard-dev/apko/commit/a118c3d604107532b5525bd4bee2fb369a6228aa
- WEBhttps://github.com/chainguard-dev/apko/releases/tag/v1.2.7
- WEBhttps://github.com/chainguard-dev/apko/security/advisories/GHSA-hcwr-pq9g-rq3m