Type Assertion Vulnerability in Apko by Chainguard
CVE-2026-42576

6.5MEDIUM

Key Information:

Vendor

Chainguard-dev

Status
Apko
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42576?

The Apko tool, developed by Chainguard, prior to version 1.2.7, contains a vulnerability in its handling of JSON Web Key Sets (JWKS). When fetching repository keys, it erroneously type-asserts JWKS keys as *rsa.PublicKey without validating the key type. This oversight leads to a panic and crash if an endpoint returns a non-RSA key, such as an EC key, disrupting workflows that initialize the APK database. Users are recommended to upgrade to version 1.2.7 or later for a fix.

Affected Version(s)

apko < 1.2.7

References

https://github.com/chainguard-dev/apko/security/advisorie...
x_refsource_CONFIRM
https://github.com/chainguard-dev/apko/commit/6604826b19e...
x_refsource_MISC
https://github.com/chainguard-dev/apko/releases/tag/v1.2.7
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.