CVE-2026-42576

Name of the Vulnerable Software and Affected Versions apko versions prior to 1.2.7

Description The DiscoverKeys() function in pkg/apk/apk/implementation.go performs an unconditional type-assertion of JWKS (JSON Web Key Set) keys as *rsa.PublicKey without verifying the key type. If a repository JWKS endpoint returns a non-RSA key, such as an Elliptic Curve (EC) key, the unchecked assertion causes a panic and crashes the application. This affects any workflow that initializes the APK database and fetches repository keys.

Recommendations Update to version 1.2.7.