93 matches found
CVE-2026-50197 Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding: chunked / HTTP/2 requests
Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the...
CVE-2026-50197
Summary: CVE-2026-50197 affects zalando/skipper’s OpenPolicyAgent integration. When clients use HTTP/1.1 Transfer-Encoding: chunked or HTTP/2 without Content-Length, the opaAuthorizeRequestWithBody flow exposes an empty raw_body and parsed input.parsed_body to OPA, causing policy checks that rely...
GHSA-CWXQ-RC9X-2JVV Skipper: Unbounded Request Body Read in Admission Webhook Causes Memory Exhaustion DoS
Summary The Kubernetes admission webhook handler reads the entire request body using io.ReadAllr.Body without any size limit. Any client that can reach the webhook port within the cluster can send a multi-GB payload, causing the skipper process to exhaust memory and be OOM-killed. This disrupts a...
CVE-2026-50197
creationtimestamp| type| source ---|---|--- 2026-07-08 22:35:12+00:00| published-proof-of-concept| https://github.com/zalando/skipper/security/advisories/GHSA-659f-rgp5-w4wf...
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests
Summary zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the...
GHSA-659F-RGP5-W4WF Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests
Summary zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the...
PT-2026-56679
Name of the Vulnerable Software and Affected Versions zalando/skipper versions prior to 0.26.10 Description The OpenPolicyAgent integration in zalando/skipper contains a flaw that allows request-body inspection to be bypassed. This occurs during HTTP/1.1 requests using Transfer-Encoding: chunked...
SUSE CVE-2026-23742
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The...
SUSE CVE-2026-24470
Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...
GO-2026-4327 Skipper is vulnerable to arbitrary code execution through lua filters in github.com/zalando/skipper
Skipper is vulnerable to arbitrary code execution through lua filters in github.com/zalando/skipper...
PT-2026-6504
Skipper is vulnerable to arbitrary code execution through lua filters in github.com/zalando/skipper...
GO-2026-4378 Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName in github.com/zalando/skipper
Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName in github.com/zalando/skipper...
CVE-2026-24470
Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...
Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName
Impact When running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Patches https://github.com/zalando/skipper/releases/tag/v0.24.0...
GHSA-MXXC-P822-2HX9 Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName
Impact When running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Patches https://github.com/zalando/skipper/releases/tag/v0.24.0...
CVE-2026-24470
Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...
CVE-2026-24470 Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName
Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...
CVE-2026-24470 Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName
Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...
CVE-2026-24470
CVE-2026-24470 affects the Skipper HTTP router/reverse proxy. Before v0.24.0, when Skipper runs as an Ingress controller, users with Ingress and ExternalName Service permissions could create routes enabling Skipper’s network access to reach internal services. The issue is mitigated by disabling K...
CVE-2026-24470 Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName
Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach...