5 matches found
CVE-2026-50197 Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding: chunked / HTTP/2 requests
Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the...
CVE-2026-24470
CVE-2026-24470 affects the Skipper HTTP router/reverse proxy. Before v0.24.0, when Skipper runs as an Ingress controller, users with Ingress and ExternalName Service permissions could create routes enabling Skipper’s network access to reach internal services. The issue is mitigated by disabling K...
CVE-2022-27262
An arbitrary file upload vulnerability in the file upload module of Skipper v0.9.1 allows attackers to execute arbitrary code via a crafted file...
CVE-2022-34296
In Zalando Skipper before 0.13.218, a query predicate could be bypassed via a prepared request...
CVE-2022-27262
An arbitrary file upload vulnerability in the file upload module of Skipper v0.9.1 allows attackers to execute arbitrary code via a crafted file...