{"id":"GHSA-hcwr-pq9g-rq3m","summary":"apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)","details":"apko verifies the signature on `APKINDEX.tar.gz` but never compares individually downloaded `.apk` packages against the checksum recorded in the signed index. The checksum is parsed and available via `ChecksumString()`, and the downloaded package control hash is computed, but the two values are never compared in `getPackageImpl()`. Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images.\n\n**Fix:** No fix available yet.\n\n**Acknowledgements**\n\napko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.","aliases":["CVE-2026-42575"],"modified":"2026-05-13T13:56:02.800511Z","published":"2026-05-04T21:27:17Z","related":["CGA-wrg6-rwvj-pmff"],"database_specific":{"nvd_published_at":"2026-05-09T20:16:29Z","cwe_ids":["CWE-345","CWE-494"],"github_reviewed_at":"2026-05-04T21:27:17Z","severity":"HIGH","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/chainguard-dev/apko/security/advisories/GHSA-hcwr-pq9g-rq3m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42575"},{"type":"WEB","url":"https://github.com/chainguard-dev/apko/commit/a118c3d604107532b5525bd4bee2fb369a6228aa"},{"type":"PACKAGE","url":"https://github.com/chainguard-dev/apko"},{"type":"WEB","url":"https://github.com/chainguard-dev/apko/releases/tag/v1.2.7"}],"affected":[{"package":{"name":"chainguard.dev/apko","ecosystem":"Go","purl":"pkg:golang/chainguard.dev/apko"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.2.7"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hcwr-pq9g-rq3m/GHSA-hcwr-pq9g-rq3m.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}