HTTP Router Vulnerability in Zalando Skipper Prior to 0.26.10
CVE-2026-50197

7.8HIGH

Key Information:

Vendor

Zalando

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-50197?

Zalando Skipper, an HTTP router and reverse proxy, prior to version 0.26.10, has a vulnerability in its OpenPolicyAgent integration. This flaw allows an attacker to bypass request-body inspection on HTTP/1.1 Transfer-Encoding: chunked requests, as well as on HTTP/2 requests that lack the content-length pseudo-header. The issue arises because the filtering components produce an empty raw body, resulting in the upstream service receiving the full request body, which may contain malicious input. This vulnerability has been addressed in version 0.26.10.

Affected Version(s)

skipper < 0.26.10

References

CVSS V4

Score:
7.8
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.