CVE-2026-42575: apko Container Builder Silently Accepts Malicious Packages
The National Vulnerability Database (NVD) has disclosed CVE-2026-42575, a high-severity vulnerability (CVSS 7.5) in apko, a tool used to build and publish OCI container images from apk packages. The core issue, as detailed by the NVD, is a critical validation failure: apko verifies the signature on APKINDEX.tar.gz but critically neglects to compare individual .apk package checksums against the signed index.
This oversight, prior to apko version 1.2.7, means that an attacker who can intercept or substitute download responses—via a compromised mirror, HTTP repository, or poisoned CDN cache—can inject arbitrary, malicious packages into built container images. The NVD explains that while the checksum is parsed and the downloaded package’s hash is computed, these two values are never compared in the getPackageImpl() function, leading to silent acceptance of mismatched packages.
For defenders, this is a supply chain integrity nightmare. It undermines trust in the image build process itself. Organizations relying on apko for container image creation are directly exposed to arbitrary code execution within their build pipeline, which translates to a backdoor into their production environments. Upgrade to apko version 1.2.7 immediately.
What This Means For You
- If your organization uses apko to build container images, you are vulnerable to supply chain attacks. Attackers can inject malicious packages into your images without detection if they can compromise your package mirrors or CDN. Patch to apko version 1.2.7 immediately and review your image build pipelines for any signs of tampering.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42575: apko Package Mismatch Detection
title: CVE-2026-42575: apko Package Mismatch Detection
id: scw-2026-05-09-ai-1
status: experimental
level: high
description: |
Detects the execution of the 'apko' tool, specifically when used for 'build' or 'publish' operations. This rule aims to identify potential exploitation of CVE-2026-42575, where apko versions prior to 1.2.7 silently accept mismatched APK packages due to a failure to verify checksums against the signed index. This could indicate an attacker attempting to inject malicious packages into container images.
author: SCW Feed Engine (AI-generated)
date: 2026-05-09
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42575/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|contains:
- 'apko'
CommandLine|contains:
- 'build'
- 'publish'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42575 | Code Injection | apko versions prior to 1.2.7 |
| CVE-2026-42575 | Misconfiguration | apko fails to compare individually downloaded .apk packages against the checksum recorded in the signed index in getPackageImpl() |
| CVE-2026-42575 | Supply Chain Attack | Attacker can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) to install arbitrary packages into built images using apko < 1.2.7 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 09, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8210 — Aandrew-Me Tgpt Command Injection
CVE-2026-8210 — A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of...
CVE-2026-8195 — JeecgBoot Vulnerability
CVE-2026-8195 — A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component...
CVE-2026-8194 — OsTicket Vulnerability
CVE-2026-8194 — A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component...