Home > Vulnerability Database > CVE-2026-23742

Mend.io Vulnerability Database

CVE-2026-23742

Good to know:

Date: January 16, 2026

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.

Severity Score

8.8

Related Resources (6)

Url: https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714

Url: https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g

Url: https://github.com/zalando/skipper

Url: https://github.com/zalando/skipper/releases/tag/v0.23.0

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23742

Url: https://www.mend.io/vulnerability-database/CVE-2026-23742

Severity Score

8.8

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Insufficiently Protected Credentials

CWE-522

Execution with Unnecessary Privileges

CWE-250

Top Fix

Upgrade Version

Upgrade to version github.com/zalando/skipper - v0.23.0;https://github.com/zalando/skipper.git - v0.23.0

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23742

Good to know:

Date: January 16, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?