Threat Advisory

Apko Incomplete Package Verification Allows Data Section Substitution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A high-severity vulnerability affecting chainguard.dev/apko versions < 1.2.9 affecting chainguard.dev/melange versions < 0.50.4, identified as CVE-2026-54174 with a CVSS score of 8.3, affects packages that utilize incomplete package integrity verification, allowing data section substitution by an attacker. This flaw enables the substitution of arbitrary file contents while the control hash check still passes, thereby compromising package authenticity. The attack vector is network-based and requires high privileges for exploitation. An unauthenticated remote attacker can exploit this vulnerability via a network attack vector, resulting in significant business impact due to potential data tampering and integrity breaches.

RECOMMENDATIONS:

  • We recommend you to update apko to version 1.2.9.
  • We recommend you to update melange to version 0.50.4.

REFERENCES:

The following reports contain further technical details:[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A high-severity vulnerability affecting chainguard.dev/apko versions < 1.2.9 affecting chainguard.dev/melange versions < 0.50.4, identified as CVE-2026-54174 with a CVSS score of 8.3, affects packages that utilize incomplete package integrity verification, allowing data section substitution by an attacker. This flaw enables the substitution of arbitrary file contents while the control hash check still passes, thereby compromising package authenticity. The attack vector is network-based and requires high privileges for exploitation. An unauthenticated remote attacker can exploit this vulnerability via a network attack vector, resulting in significant business impact due to potential data tampering and integrity breaches.

RECOMMENDATIONS:

  • We recommend you to update apko to version 1.2.9.
  • We recommend you to update melange to version 0.50.4.

REFERENCES:

The following reports contain further technical details:[emaillocker id="1283"]

[/emaillocker]
crossmenu