CVE-2026-23742
Last modified
CVE-2026-23742 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. EPSS estimates a 0.47% chance of exploitation in the next 30 days.
Description
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Zalando | Skipper | < 0.23.0 |
References
- https://github.com/zalando/skipper/releases/tag/v0.23.0Product, Release Notes
- https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9gExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-23742?
How severe is CVE-2026-23742?
How do I fix CVE-2026-23742?
Are you affected by CVE-2026-23742?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST