CVE-2026-42574: apko Symlink Traversal Allows Host Path Writes

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-22cwe-59
CVE-2026-42574: apko Symlink Traversal Allows Host Path Writes

The National Vulnerability Database has disclosed CVE-2026-42574, a high-severity vulnerability (CVSS 7.5) affecting apko versions 0.14.8 up to, but not including, 1.2.5. apko, used for building and publishing OCI container images from apk packages, is susceptible to a symlink traversal flaw during image creation. A maliciously crafted .apk package can install a TypeSymlink tar entry that points outside the build root.

This critical oversight allows a subsequent directory-creation or file-write entry within the same or a later archive to traverse that symlink. The attacker can then write to host paths accessible by the build user, potentially compromising the host system where the container image is being built. This is a classic path traversal issue (CWE-22) combined with an improper link resolution vulnerability (CWE-59), enabling unauthorized file system access.

Defenders leveraging apko for their container build pipelines must immediately upgrade to version 1.2.5 or later. This vulnerability highlights the persistent risks associated with supply chain integrity, even at the fundamental image build stage. Attackers are constantly looking for ways to escape containerization, and a vulnerability like this provides a direct avenue to the host system.

What This Means For You

  • If your organization uses apko for building container images, you are exposed. Check your apko version immediately and ensure it is 1.2.5 or newer. An attacker who can inject a malicious `.apk` into your build process could write to arbitrary files on your build host, potentially leading to a full system compromise. This isn't just a container escape; it's a build-time compromise with systemic implications.

Related ATT&CK Techniques

T1570 Lateral Movement Lateral Movement T1078.004 Cloud Account Persistence T1078 Valid Accounts Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1570 Lateral Movement

CVE-2026-42574: apko Symlink Traversal to Host Path Write

Sigma YAML — free preview 
title: CVE-2026-42574: apko Symlink Traversal to Host Path Write
id: scw-2026-05-09-ai-1
status: experimental
level: high
description: |
  Detects the execution of 'apko build' which is the primary mechanism for this vulnerability. This rule specifically targets the apko binary being used in a build context, which is necessary for the symlink traversal to occur. The vulnerability allows a crafted .apk to create a symlink outside the build root, enabling subsequent writes to host paths.
author: SCW Feed Engine (AI-generated)
date: 2026-05-09
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42574/
tags:
  - attack.lateral_movement
  - attack.t1570
logsource:
    category: process_creation
detection:
  selection:
      Image|startswith:
          - '/usr/bin/apko'
      CommandLine|contains:
          - 'build'
      ParentImage|contains:
          - 'apko'
  selection_base:
      Image|startswith:
          - '/usr/bin/apko'
  selection_indicators:
      CommandLine|contains:
          - 'build'
      ParentImage|contains:
          - 'apko'
  condition: selection_base AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42574 Path Traversal apko versions 0.14.8 to before 1.2.5
CVE-2026-42574 Path Traversal Crafted .apk installing TypeSymlink tar entry with target outside build root
CVE-2026-42574 Path Traversal Subsequent directory-creation or file-write entry traversing symlink to host paths

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 09, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8210 — Aandrew-Me Tgpt Command Injection

CVE-2026-8210 — A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8195 — JeecgBoot Vulnerability

CVE-2026-8195 — A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component...

vulnerabilityCVEmedium-severitycwe-79cwe-94
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8194 — OsTicket Vulnerability

CVE-2026-8194 — A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component...

vulnerabilityCVEmedium-severitycwe-352cwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 3 IOCs /⚙ 3 Sigma