Security Flaw in Skipper HTTP Router by Zalando
CVE-2026-23742

8.8HIGH

Key Information:

Vendor

Zalando

Status
Skipper
Vendor
CVE Published:
16 January 2026

What is CVE-2026-23742?

The Skipper HTTP router, used for service composition, has a vulnerability associated with its default configuration before version 0.23.0. Specifically, the -lua-sources parameter allows untrusted users to create and inject Lua filters. This poses a risk as attackers could exploit this feature through a Kubernetes Ingress resource, resulting in unauthorized access to the underlying filesystem. If they manage to read the logs, they could also access sensitive secrets stored within Skipper. The issue is rectified in Skipper version 0.23.0, which is recommended for enhanced security.

Affected Version(s)

skipper < 0.23.0

References

https://github.com/zalando/skipper/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zalando/skipper/commit/0b52894570773b2...
x_refsource_MISC
https://github.com/zalando/skipper/releases/tag/v0.23.0
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.