Login Sign Up

CVE-2026-23742

8.8 HIGH

📋 TL;DR

CVE-2026-23742 allows attackers with ability to create Lua filters in Skipper to read arbitrary files accessible to the Skipper process, potentially exposing sensitive secrets. This affects Skipper deployments where untrusted users can create Lua filters through interfaces like Kubernetes Ingress resources. The vulnerability exists due to the default '-lua-sources=inline,file' configuration.

💻 Affected Systems

Products:
  • Skipper HTTP router and reverse proxy
Versions: All versions before 0.23.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable if untrusted users can create Lua filters (e.g., through Kubernetes Ingress). The default configuration includes '-lua-sources=inline' which enables the vulnerability.

📦 What is this software?

Skipper by Zalando

View all CVEs affecting Skipper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Skipper secrets and sensitive files, leading to lateral movement, data exfiltration, or service disruption.

🟠

Likely Case

Unauthorized reading of configuration files, logs, and secrets stored in accessible filesystems.

🟢

If Mitigated

Limited impact if proper access controls prevent untrusted users from creating Lua filters.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to create Lua filters. No public exploit code identified, but the vulnerability is straightforward to exploit given the prerequisite access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.23.0

Vendor Advisory: https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g

Restart Required: Yes

Instructions:

1. Update Skipper to version 0.23.0 or later. 2. Restart Skipper services. 3. Verify the new version is running with 'skipper -version'.

🔧 Temporary Workarounds

Remove inline Lua source

all

Modify Skipper configuration to remove 'inline' from -lua-sources parameter

skipper -lua-sources=file

Restrict Lua filter creation

all

Implement access controls to prevent untrusted users from creating Lua filters

🧯 If You Can't Patch

  • Implement strict access controls to prevent untrusted users from creating Lua filters
  • Monitor for suspicious Lua filter creation attempts and file read operations

🔍 How to Verify

Check if Vulnerable:

Check Skipper version with 'skipper -version' and verify if below 0.23.0. Also check configuration for '-lua-sources=inline'.

Check Version:

skipper -version

Verify Fix Applied:

Confirm Skipper version is 0.23.0 or higher with 'skipper -version'. Verify configuration no longer includes '-lua-sources=inline' or has been properly secured.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized Lua filter creation attempts
  • Unexpected file read operations from Skipper process

Network Indicators:

  • Suspicious requests to Lua filter endpoints

SIEM Query:

process:skipper AND (event:lua_filter_creation OR file_read:unexpected)

📊 Metadata

CVE ID: CVE-2026-23742
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
EPSS Score: 0.05% exploit probability (14th percentile)
Published: January 16, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23742, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)