Home > Vulnerability Database > CVE-2026-24470

Mend.io Vulnerability Database

CVE-2026-24470

Good to know:

Date: January 26, 2026

Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions.

Severity Score

8.1

Related Resources (7)

Url: https://kubernetes.io/docs/concepts/services-networking/service/#externalname

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24470

Url: https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219

Url: https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9

Url: https://github.com/zalando/skipper

Url: https://github.com/zalando/skipper/releases/tag/v0.24.0

Url: https://www.mend.io/vulnerability-database/CVE-2026-24470

Severity Score

8.1

Weakness Type (CWE)

Unintended Proxy or Intermediary ('Confused Deputy')

CWE-441

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version github.com/zalando/skipper - v0.24.0;github.com/zalando/skipper - v0.24.0;https://github.com/zalando/skipper.git - v0.24.0

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24470

Good to know:

Date: January 26, 2026

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?