CVE-2026-42574: High-Severity Path Traversal Flaw Discovered in Apko Container Build Tool

Security researchers have disclosed CVE-2026-42574, a high-severity vulnerability affecting apko, the open-source tool developed by Chainguard for building and publishing OCI container images from apk packages. The flaw carries a CVSS score of 7.5 (High) and impacts all releases from version 0.14.8 through any version prior to 1.2.5. The vulnerability stems from insufficient validation of symbolic link entries during the package installation process.

The core weakness lies in how apko processes crafted .apk files containing TypeSymlink tar entries. When a malicious package is processed, an attacker can embed a symbolic link whose target resolves to a location outside the designated build root directory. This path traversal allows symlinks to escape the sandboxed build environment, potentially exposing host filesystem resources to manipulation. A subsequent build operation that references these external symlinks could trigger unintended file operations on the underlying system.

Organizations using apko in automated build pipelines or CI/CD workflows face elevated risk, as these environments frequently operate with heightened privileges. Security advisories recommend immediate upgrading to version 1.2.5 or later, where the vulnerable code path has been patched. Teams should also audit recent container images and build artifacts for signs of tampering, and apply strict validation to any third-party or untrusted apk packages before processing them through apko. The disclosure adds to ongoing concerns about supply chain security in the container ecosystem, particularly risks targeting build-time processes.