HTTP Router Vulnerability in Zalando Skipper Prior to 0.26.10
CVE-2026-50197
7.8HIGH
What is CVE-2026-50197?
Zalando Skipper, an HTTP router and reverse proxy, prior to version 0.26.10, has a vulnerability in its OpenPolicyAgent integration. This flaw allows an attacker to bypass request-body inspection on HTTP/1.1 Transfer-Encoding: chunked requests, as well as on HTTP/2 requests that lack the content-length pseudo-header. The issue arises because the filtering components produce an empty raw body, resulting in the upstream service receiving the full request body, which may contain malicious input. This vulnerability has been addressed in version 0.26.10.
Affected Version(s)
skipper < 0.26.10
