CVE-2026-23742

Skipper arbitrary code execution through lua filters

CVSS 8.8 HIGHEPSS 0.5%CWE-250 CWE-522 CWE-94

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.8EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

16 Jan 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

zalando · skipper

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714 https://github.com/zalando/skipper/releases/tag/v0.23.0 https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g