---
id: CVE-2026-54174
aliases:
  - GHSA-fpg8-7664-jc5q
title: >-
  melange: Incomplete package integrity verification allows data section
  substitution
summary: >-
  melange: Incomplete package integrity verification allows data section
  substitution
severity: high
cvss: 8.3
cwe:
  - CWE-345
  - CWE-354
vendor: apko
product: chainguard.dev/apko
ecosystem: go
affected:
  - chainguard.dev/apko < 1.2.9
  - chainguard.dev/melange < 0.50.4
patched:
  - chainguard.dev/apko 1.2.9
  - chainguard.dev/melange 0.50.4
published: '2026-07-10'
updated: '2026-07-10'
source: GHSA
sourceUrl: 'https://github.com/advisories/GHSA-fpg8-7664-jc5q'
references:
  - url: >-
      https://github.com/chainguard-dev/melange/security/advisories/GHSA-fpg8-7664-jc5q
  - url: 'https://github.com/advisories/GHSA-fpg8-7664-jc5q'
tags:
  - ghsa
  - go
ingestedAt: '2026-07-10T22:06:49.364Z'
---

## Overview

Previously, Apko verified the control section hash (`.PKGINFO` etc.) against the signed `APKINDEX`, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.

## Affected packages

- `chainguard.dev/apko < 1.2.9`
- `chainguard.dev/melange < 0.50.4`

## Remediation

Upgrade to a patched release:

- `chainguard.dev/apko 1.2.9`
- `chainguard.dev/melange 0.50.4`
