CVE-2026-23742
HIGHSkipper < 0.23.0 - Unauthenticated Information Disclosure via Lua Filter Script Injection
Title source: llmDescription
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g
Patch x_refsource_misc
https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714
Release Notes x_refsource_misc
https://github.com/zalando/skipper/releases/tag/v0.23.0
Scores
CVSS v3
8.8
EPSS
0.0047
EPSS Percentile
37.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-250
CWE-522
CWE-94
Status
published
Products (2)
zalando/skipper
< 0.23.0
zalando/skipper
0 - 0.23.0Go
Published
Jan 16, 2026
Tracked Since
Feb 18, 2026