CVE-2026-42574

apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

CVSS 7.5 HIGHEPSS 0.4%CWE-22 CWE-59

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.5EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

09 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

chainguard-dev · apko

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442 https://github.com/chainguard-dev/apko/pull/2187 https://github.com/chainguard-dev/apko/releases/tag/v1.2.5 https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6