CVE-2026-23742 in skipper
Summary
by MITRE • 01/16/2026
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/16/2026
The vulnerability identified as CVE-2026-23742 affects Skipper, an HTTP router and reverse proxy designed for service composition within containerized environments. This issue stems from a configuration flaw in Skipper's Lua script execution mechanism that existed prior to version 0.23.0. The default configuration allowed for both inline and file-based Lua script sources, creating a significant security risk when user-controlled configurations are permitted in environments such as Kubernetes clusters where ingress resources can be manipulated by untrusted parties.
The technical flaw manifests through the -lua-sources=inline parameter which permits users to inject arbitrary Lua code directly through configuration mechanisms like Kubernetes Ingress resources. When untrusted users can create Lua filters, they gain the ability to execute malicious scripts that can traverse the filesystem accessible to the Skipper process. This represents a critical privilege escalation vulnerability as the Lua scripting engine can access system resources that should remain protected from user manipulation. The vulnerability is particularly concerning in containerized environments where Skipper typically runs with elevated privileges to manage network traffic and service routing.
The operational impact of this vulnerability extends beyond simple code injection, as it enables attackers to access sensitive system information through filesystem traversal capabilities. When combined with access to log files, malicious users can extract secrets, configuration data, and other sensitive information that the Skipper process has access to. This creates a comprehensive data exfiltration vector that can compromise the entire service mesh or microservices architecture that Skipper is designed to support. The vulnerability affects environments where Kubernetes ingress controllers are used with Skipper, making it particularly relevant to cloud-native deployments that rely on dynamic configuration management.
The mitigation for this vulnerability requires upgrading to Skipper version 0.23.0 or later, which addresses the configuration issue by removing or properly restricting the inline Lua script execution capability. Organizations should also implement strict access controls on ingress resource configurations to prevent untrusted users from creating or modifying Lua filters. Additionally, security practitioners should review existing Skipper configurations to ensure that the -lua-sources parameter does not include inline execution capabilities in production environments. This vulnerability aligns with CWE-94, which covers "Improper Control of Generation of Code ('Code Injection')" and relates to ATT&CK technique T1059.007 for script-based execution, emphasizing the importance of proper input validation and privilege separation in proxy and routing systems.