Security Flaw in Skipper HTTP Router by Zalando
CVE-2026-23742

8.8HIGH

Key Information:

Vendor

Zalando

Status
Skipper
Vendor
CVE Published:
16 January 2026

What is CVE-2026-23742?

The Skipper HTTP router, used for service composition, has a vulnerability associated with its default configuration before version 0.23.0. Specifically, the -lua-sources parameter allows untrusted users to create and inject Lua filters. This poses a risk as attackers could exploit this feature through a Kubernetes Ingress resource, resulting in unauthorized access to the underlying filesystem. If they manage to read the logs, they could also access sensitive secrets stored within Skipper. The issue is rectified in Skipper version 0.23.0, which is recommended for enhanced security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

skipper < 0.23.0

References

https://github.com/zalando/skipper/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/zalando/skipper/commit/0b52894570773b2...
x_refsource_MISC
https://github.com/zalando/skipper/releases/tag/v0.23.0
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.