← Back to CVEs
CVE-2026-23742
HIGH8.8
Description
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.
CVE Details
CVSS v3.1 Score8.8
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published1/16/2026
Last Modified2/18/2026
Sourcenvd
Honeypot Sightings0
Affected Products
zalando:skipper
Weaknesses (CWE)
CWE-94CWE-250CWE-522
References
https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714(security-advisories@github.com)
https://github.com/zalando/skipper/releases/tag/v0.23.0(security-advisories@github.com)
https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.