{"id":"CVE-2026-54174","aliases":["GHSA-fpg8-7664-jc5q"],"title":"melange: Incomplete package integrity verification allows data section substitution","summary":"melange: Incomplete package integrity verification allows data section substitution","severity":"high","cvss":8.3,"cwe":["CWE-345","CWE-354"],"vendor":"apko","product":"chainguard.dev/apko","ecosystem":"go","affected":["chainguard.dev/apko < 1.2.9","chainguard.dev/melange < 0.50.4"],"patched":["chainguard.dev/apko 1.2.9","chainguard.dev/melange 0.50.4"],"published":"2026-07-10","updated":"2026-07-10","source":"GHSA","sourceUrl":"https://github.com/advisories/GHSA-fpg8-7664-jc5q","references":[{"url":"https://github.com/chainguard-dev/melange/security/advisories/GHSA-fpg8-7664-jc5q"},{"url":"https://github.com/advisories/GHSA-fpg8-7664-jc5q"}],"tags":["ghsa","go"],"ingestedAt":"2026-07-10T22:06:49.364Z","slug":"CVE-2026-54174","body":"## Overview\n\nPreviously, Apko verified the control section hash (`.PKGINFO` etc.) against the signed `APKINDEX`, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.\n\n## Affected packages\n\n- `chainguard.dev/apko < 1.2.9`\n- `chainguard.dev/melange < 0.50.4`\n\n## Remediation\n\nUpgrade to a patched release:\n\n- `chainguard.dev/apko 1.2.9`\n- `chainguard.dev/melange 0.50.4`","depth":"twilight","depthScore":46,"depthScoreParts":{"impact":45.7,"likelihood":0,"exploitation":0,"ransomware":0},"changes":[]}