CVE-2026-42575— apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

CVSS 7.5 · High EPSS 0.02% · P5 Updated May 15, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-42575

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

Source: NVD (National Vulnerability Database)

Vulnerability Description

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

对数据真实性的验证不充分

Source: NVD (National Vulnerability Database)

Vulnerability Title

apko 数据伪造问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

apko是apko开源的一个基于 apk 的 OCI 镜像构建器。 apko 1.2.7之前版本存在数据伪造问题漏洞，该漏洞源于验证APKINDEX.tar.gz签名但未将下载的.apk包与签名索引中的校验和进行比较，可能导致攻击者安装任意包到构建镜像中。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
chainguard-dev	apko	< 1.2.7	-

II. Public POCs for CVE-2026-42575

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

Qwen3.6-35B-A3B · 7824 chars

Paid plan includes:

In-depth vulnerability mechanism

Trigger conditions & impact

Full executable POC code

Exploit chain & mitigation

POC zip download

100+ AI POC generations per month

Upgrade Pro to unlock ¥99/month Sign up first

III. Intelligence Information for CVE-2026-42575

请登录查看更多情报信息。

Vendor · 1Advisory · 1Patch · 1

Same Patch Batch · chainguard-dev · 2026-05-09 · 3 CVEs total

CVE-2026-42574	7.5 HIGH	apko dirFS has a symlink-following path traversal that allows multiple entry points to esc
CVE-2026-42576	6.5 MEDIUM	apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

IV. Related Vulnerabilities

Same product: apko

Same vendor: chainguard-dev

Same weakness: CWE-345

V. Comments for CVE-2026-42575

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-42575— apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

I. Basic Information for CVE-2026-42575

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-42575

III. Intelligence Information for CVE-2026-42575

Same Patch Batch · chainguard-dev · 2026-05-09 · 3 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-42575

Leave a comment