CVE 8.8 HIGH

Skipper arbitrary code execution through lua filters_CVE-2026-23742

January 16, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.

AI Analysis

Arbitrary code execution through lua filters in Skipper versions before 0.23.0

Basic Information

ID CVE-2026-23742

Source GitHub_M

Published Jan 16, 2026 at 20:07

Modified Jan 16, 2026 at 20:24

Affected Product

Vendor zalando

Product skipper

Version < 0.23.0

Affected Versions zalando skipper < 0.23.0

CWE Classification

CWE-94 CWE-250 CWE-522

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Zalando

Product Skipper

Version < 0.23.0

References

{
    "lastseen": "",
    "description": "Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.",
    "published": "2026-01-16T20:07:46.746Z",
    "modified": "2026-01-16T20:24:12.702Z",
    "type": "cve",
    "title": "Skipper arbitrary code execution through lua filters",
    "source": "GitHub_M",
    "references": "https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g\nhttps://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714\nhttps://github.com/zalando/skipper/releases/tag/v0.23.0",
    "id": "CVE-2026-23742",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-250",
        "CWE-522"
    ],
    "cvelist": null,
    "sourceData": "zalando skipper < 0.23.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "skipper",
    "version": "< 0.23.0",
    "vendor": "zalando",
    "ai_description": "Arbitrary code execution through lua filters in Skipper versions before 0.23.0",
    "ai_severity": "High",
    "ai_vendor": "Zalando",
    "ai_product": "Skipper",
    "ai_version": "< 0.23.0",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply