CVE-2026-23742

HIGH

Skipper <0.23.0 - Info Disclosure

Title source: llm

Description

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.

References (3)

[Vendor Advisory] https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g

[Patch] https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714

[Release Notes] https://github.com/zalando/skipper/releases/tag/v0.23.0

Scores

CVSS v3 8.8

EPSS 0.0003

EPSS Percentile 6.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-250 CWE-522 CWE-94

Status published

Products (2)

zalando/skipper < 0.23.0

zalando/skipper 0 - 0.23.0Go

Published Jan 16, 2026

Tracked Since Feb 18, 2026