CVE-2026-42575: CWE-345: Insufficient Verification of Data Authenticity in chainguard-dev apko
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.
AI Analysis
Technical Summary
The vulnerability in apko (versions before 1.2.7) involves insufficient verification of data authenticity (CWE-345). While the signature on the APKINDEX.tar.gz is verified, the checksums of individual .apk packages downloaded are not compared against the signed index's recorded checksums. The checksum values are parsed and available, and the package control hash is computed, but these are never compared in the getPackageImpl() function. This flaw allows an attacker capable of intercepting or substituting download responses (e.g., via a compromised mirror, HTTP repository, or poisoned CDN cache) to inject arbitrary packages into container images built by apko. The vulnerability is tracked as CVE-2026-42575 with a CVSS 3.1 score of 7.5 (high severity). The issue is patched in apko version 1.2.7.
Potential Impact
An attacker who can manipulate the download source can cause apko to silently accept and install arbitrary, potentially malicious packages into OCI container images. This compromises the integrity of the built images, potentially leading to the inclusion of unauthorized or malicious software. There is no impact on confidentiality or availability indicated. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade apko to version 1.2.7 or later, where this vulnerability is patched. Prior versions do not properly verify package checksums against the signed index, allowing tampering. No other mitigation is indicated or required by the vendor advisory.
CVE-2026-42575: CWE-345: Insufficient Verification of Data Authenticity in chainguard-dev apko
Description
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in apko (versions before 1.2.7) involves insufficient verification of data authenticity (CWE-345). While the signature on the APKINDEX.tar.gz is verified, the checksums of individual .apk packages downloaded are not compared against the signed index's recorded checksums. The checksum values are parsed and available, and the package control hash is computed, but these are never compared in the getPackageImpl() function. This flaw allows an attacker capable of intercepting or substituting download responses (e.g., via a compromised mirror, HTTP repository, or poisoned CDN cache) to inject arbitrary packages into container images built by apko. The vulnerability is tracked as CVE-2026-42575 with a CVSS 3.1 score of 7.5 (high severity). The issue is patched in apko version 1.2.7.
Potential Impact
An attacker who can manipulate the download source can cause apko to silently accept and install arbitrary, potentially malicious packages into OCI container images. This compromises the integrity of the built images, potentially leading to the inclusion of unauthorized or malicious software. There is no impact on confidentiality or availability indicated. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade apko to version 1.2.7 or later, where this vulnerability is patched. Prior versions do not properly verify package checksums against the signed index, allowing tampering. No other mitigation is indicated or required by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-28T17:26:12.085Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ff8cbdcbff5d86106ac33b
Added to database: 5/9/2026, 7:36:29 PM
Last enriched: 5/9/2026, 7:51:20 PM
Last updated: 5/10/2026, 9:18:31 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.