{"id":"GHSA-m7hm-vm4x-28jf","summary":"apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery","details":"`DiscoverKeys` in `pkg/apk/apk/implementation.go` unconditionally type-asserts JWKS keys as `*rsa.PublicKey` without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. Affected versions \u003c= 0.30.34.\n\n**Fix:** No fix available yet.\n\n**Acknowledgements**\n\napko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.","aliases":["CVE-2026-42576"],"modified":"2026-05-05T19:14:20.628284057Z","published":"2026-05-04T21:25:30Z","related":["CGA-vq4q-hxh3-r2f6"],"database_specific":{"nvd_published_at":null,"severity":"MODERATE","github_reviewed_at":"2026-05-04T21:25:30Z","github_reviewed":true,"cwe_ids":["CWE-704"]},"references":[{"type":"WEB","url":"https://github.com/chainguard-dev/apko/security/advisories/GHSA-m7hm-vm4x-28jf"},{"type":"PACKAGE","url":"https://github.com/chainguard-dev/apko"}],"affected":[{"package":{"name":"chainguard.dev/apko","ecosystem":"Go","purl":"pkg:golang/chainguard.dev/apko"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.2.7"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-m7hm-vm4x-28jf/GHSA-m7hm-vm4x-28jf.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}