Symlink Vulnerability in apko Container Image Builder by Chainguard
CVE-2026-42574

7.5HIGH

Key Information:

Vendor

Chainguard-dev

Status
Apko
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42574?

The vulnerability in apko allows the creation of OCI container images from apk packages. Specific versions (0.14.8 to before 1.2.5) are susceptible to a crafted .apk that can install a TypeSymlink tar entry. This entry's target may point outside the build root, leading to potential file system traversal and unauthorized access to host paths that the build user can write to. This issue has been addressed in version 1.2.5, and users are advised to update to this version to ensure their systems are secure.

Affected Version(s)

apko >= 0.14.8, < 1.2.5

References

https://github.com/chainguard-dev/apko/security/advisorie...
x_refsource_CONFIRM
https://github.com/chainguard-dev/apko/pull/2187
x_refsource_MISC
https://github.com/chainguard-dev/apko/commit/f5a96e1299a...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.