The vulnerability in apko versions before 1.2.7 involves insufficient verification of data authenticity (CWE-345). While the signature on the APKINDEX.tar.gz file is verified, the checksums of individual .apk packages downloaded are not compared against the signed index checksums. The checksum values are parsed and available, and the package hash is computed, but the comparison is never performed in the getPackageImpl() function. This flaw allows an attacker capable of intercepting or manipulating package downloads (e.g., via compromised mirrors, HTTP repositories, or poisoned CDN caches) to inject arbitrary packages into container images built by apko. The vulnerability is tracked as CVE-2026-42575 with a CVSS 3.1 base score of 7.5 (high severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and an impact on integrity but not confidentiality or availability. The issue has been patched in apko version 1.2.7.

An attacker who can substitute download responses can cause apko to silently accept and install arbitrary packages into OCI container images. This compromises the integrity of the built images, potentially allowing malicious code inclusion. There is no impact on confidentiality or availability indicated. No known exploits in the wild have been reported.

Upgrade apko to version 1.2.7 or later, where this vulnerability has been patched. Prior to upgrading, be cautious of using untrusted mirrors or HTTP repositories for package downloads. Patch status is not explicitly stated but the description confirms the issue is fixed in version 1.2.7.