Skip to main content

apko CVE-2026-42576

MEDIUM
Incorrect Type Conversion or Cast (CWE-704)
2026-05-04 https://github.com/chainguard-dev/apko GHSA-m7hm-vm4x-28jf
Denial Of Service
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 04, 2026 - 21:47 vuln.today
Analysis Generated
May 04, 2026 - 21:47 vuln.today

DescriptionNVD

DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. Affected versions <= 0.30.34.

Fix: No fix available yet.

Acknowledgements

apko thanks Oleh Konko from 1seal for discovering and reporting this issue.

AnalysisAI

Apko crashes via denial-of-service when a repository JWKS endpoint returns a non-RSA key due to an unchecked type assertion in the DiscoverKeys function. The vulnerability affects any workflow initializing the APK database and requires user interaction to trigger (e.g., running apko with a malicious repository), with CVSS 6.5 reflecting the availability impact. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-42576 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy