CVE-2026-23742

Skipper arbitrary code execution through lua filters

CVSS 8.8 HIGHEPSS 0.5%CWE-250 CWE-522 CWE-94

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.8EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

16 jan 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Produtos afetados

zalando · skipper

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714 https://github.com/zalando/skipper/releases/tag/v0.23.0 https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g