CVE-2026-42576: apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

May 4, 2026

DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. Affected versions <= 0.30.34.

Fix: No fix available yet.

Acknowledgements

apko thanks Oleh Konko from 1seal for discovering and reporting this issue.

References

github.com/advisories/GHSA-m7hm-vm4x-28jf
github.com/chainguard-dev/apko
github.com/chainguard-dev/apko/security/advisories/GHSA-m7hm-vm4x-28jf
nvd.nist.gov/vuln/detail/CVE-2026-42576

Code Behaviors & Features

Detect and mitigate CVE-2026-42576 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →