CVE-2026-42576 | THREATINT

Description

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7.

PUBLISHED Reserved 2026-04-28 | Published 2026-05-09 | Updated 2026-05-09 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Problem types

CWE-704: Incorrect Type Conversion or Cast

Product status

< 1.2.7

affected

References

github.com/...v/apko/security/advisories/GHSA-m7hm-vm4x-28jf

github.com/...ommit/6604826b19e36e9bc6e196592800fad93738f4a1

github.com/chainguard-dev/apko/releases/tag/v1.2.7

cve.org (CVE-2026-42576)

nvd.nist.gov (CVE-2026-42576)

Download JSON