A high-severity vulnerability affecting chainguard.dev/apko versions < 1.2.9 affecting chainguard.dev/melange versions < 0.50.4, identified as CVE-2026-54174 with a CVSS score of 8.3, affects packages that utilize incomplete package integrity verification, allowing data section substitution by an attacker. This flaw enables the substitution of arbitrary file contents while the control hash check still passes, thereby compromising package authenticity. The attack vector is network-based and requires high privileges for exploitation. An unauthenticated remote attacker can exploit this vulnerability via a network attack vector, resulting in significant business impact due to potential data tampering and integrity breaches.
The following reports contain further technical details:[/subscribe_to_unlock_form]
A high-severity vulnerability affecting chainguard.dev/apko versions < 1.2.9 affecting chainguard.dev/melange versions < 0.50.4, identified as CVE-2026-54174 with a CVSS score of 8.3, affects packages that utilize incomplete package integrity verification, allowing data section substitution by an attacker. This flaw enables the substitution of arbitrary file contents while the control hash check still passes, thereby compromising package authenticity. The attack vector is network-based and requires high privileges for exploitation. An unauthenticated remote attacker can exploit this vulnerability via a network attack vector, resulting in significant business impact due to potential data tampering and integrity breaches.
The following reports contain further technical details:[emaillocker id="1283"]
[/emaillocker]