← back
CVE-2026-42576

apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

CVSS 6.5 MEDIUMEPSS 0.3%CWE-704
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected products
chainguard-dev · apko

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/chainguard-dev/apko/commit/6604826b19e36e9bc6e196592800fad93738f4a1https://github.com/chainguard-dev/apko/releases/tag/v1.2.7https://github.com/chainguard-dev/apko/security/advisories/GHSA-m7hm-vm4x-28jf