PT-2026-57371 · Go · Chainguard.Dev/Apko+1

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-54174

CVSS v3.1

8.3

High

VectorAV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Previously, Apko verified the control section hash (.PKGINFO etc.) against the signed APKINDEX, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54174
GHSA-FPG8-7664-JC5Q

Affected Products

Chainguard.Dev/Apko
Chainguard.Dev/Melange