Skip to main content

Apko CVE-2026-54174

HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-07-10 https://github.com/chainguard-dev/melange GHSA-fpg8-7664-jc5q
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.3 HIGH

Attacker needs a privileged MITM/cache/mirror position (AC:H) and a victim build (UI:R); no auth (PR:N); poisoned packages flow into downstream images (S:C) with full integrity/confidentiality/availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 22:20 vuln.today

DescriptionGitHub Advisory

Previously, Apko verified the control section hash (.PKGINFO etc.) against the signed APKINDEX, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.

AnalysisAI

Integrity bypass in Chainguard's apko (and the shared logic in melange) allows a network attacker to swap the actual installed contents of an apk package while its signature check still passes, because apko validated only the control-section hash (.PKGINFO) against the signed APKINDEX and never verified the data-section hash. Anyone able to compromise a package mirror, poison a fetch cache, or MITM the download can therefore inject arbitrary files into images built with these tools. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain MITM or poison mirror/cache
Delivery
Substitute malicious data section, keep signed control metadata
Exploit
Victim runs apko/melange build fetching package
Execution
Control hash passes, data hash unverified
Persist
Malicious files installed into built image
Impact
Compromised image published to downstream consumers

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control package delivery to the build: a compromised or malicious apk mirror, a poisoned shared/fetch cache, or an active man-in-the-middle position on the package download path - this is the concrete AC:H precondition, not an incidental one. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H, base 8.3) is internally consistent with a supply-chain integrity flaw: network reachable and unauthenticated, but rated High attack complexity because the attacker must first obtain a privileged network position (mirror compromise, cache poisoning, or MITM) and Requires User Interaction because a victim must run a build that fetches the poisoned package; Scope is Changed because tampered packages flow into downstream images consumed by other systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has poisoned a shared build cache or sits on the network path between a CI runner and an apk mirror substitutes a malicious data section into a fetched package while leaving the signed control metadata intact. The apko/melange build validates the control hash, sees it match the signed APKINDEX, and installs the attacker's files into the resulting image, which is then published and pulled by downstream consumers. …
Remediation Patch available per vendor advisory: upgrade apko and melange to the fixed releases described in GHSA-fpg8-7664-jc5q (https://github.com/chainguard-dev/melange/security/advisories/GHSA-fpg8-7664-jc5q); the input did not include an exact fixed version, so confirm the precise tag from that advisory before pinning. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running apko and audit build logs from the past 90 days to identify potentially affected images. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy