HIGHCVE-2026-23742Published 2026-01-16Modified 2026-01-16CNA GitHub_M

CVE-2026-23742: Skipper arbitrary code execution through lua filters

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

zalando / skipper
< 0.23.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g
https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714
https://github.com/zalando/skipper/releases/tag/v0.23.0

Metrics