SCA: security update for chainguard.dev/apko (GHSA-m7hm-vm4x-28jf)

medium Tenable Self-Hosted Container Security Plugin ID 441087

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- apko allows users to build and publish OCI container images built from apk packages. Prior to version
1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as
*rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g.
EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK
database and fetches repository keys. This issue has been patched in version 1.2.7. (CVE-2026-42576)

Solution

Update the chainguard.dev/apko library and its related packages to version 1.2.7 or later.

See Also

https://github.com/advisories/GHSA-m7hm-vm4x-28jf

Plugin Details

Severity: Medium

ID: 441087

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 5/5/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-42576

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/4/2026

Vulnerability Publication Date: 5/4/2026

Reference Information

CVE: CVE-2026-42576

cwe: CWE-704