Previously, Apko verified the control section hash (.PKGINFO etc.) against the signed APKINDEX, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a…
| CVE ID | CVE-2026-54174 |
| Vendor | go |
| Affected Product | chainguard.dev/apko |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.3 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
Previously, Apko verified the control section hash (.PKGINFO etc.) against the signed APKINDEX, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.