Zalando's Skipper is an HTTP router and reverse proxy widely used for service composition, often deployed in Kubernetes environments. Versions prior to 0.23.0 have a default configuration enabling Lua scripting from inline sources (-lua-sources=inline,file). This configuration flaw allows users who can create Lua filters—potentially through Kubernetes Ingress resources—to inject arbitrary Lua code. Since Lua scripts run with the privileges of the Skipper process, an attacker can read any files accessible to Skipper, including sensitive logs and secrets stored on the filesystem. This represents a classic code injection vulnerability (CWE-94) combined with improper access control (CWE-250) and information exposure (CWE-522). The vulnerability requires the attacker to have at least low privileges (PR:L) but no user interaction is needed, and it can be exploited remotely (AV:N). The impact includes full compromise of confidentiality, integrity, and availability of the affected system. The vulnerability was assigned CVE-2026-23742 and has a CVSS v3.1 score of 8.8, indicating high severity. The issue was resolved in Skipper version 0.23.0 by disabling inline Lua sources by default, preventing untrusted users from injecting Lua code. No known exploits are currently reported in the wild, but the potential impact is significant given the nature of the vulnerability and the common use of Skipper in cloud-native environments.

For European organizations, this vulnerability poses a significant risk, especially those leveraging Kubernetes and microservices architectures where Skipper is used as an ingress controller or reverse proxy. Exploitation can lead to unauthorized disclosure of sensitive data, including secrets and logs, potentially exposing credentials, tokens, or other confidential information. Attackers could also manipulate or disrupt service routing, impacting availability and integrity of services. This could result in data breaches, service outages, and compliance violations under GDPR and other data protection regulations. Organizations in sectors such as finance, healthcare, and critical infrastructure are particularly vulnerable due to the sensitivity of their data and the criticality of their services. The ease of remote exploitation without user interaction increases the threat level, making timely patching and configuration hardening essential to prevent compromise.

1. Upgrade all Skipper deployments to version 0.23.0 or later, where the vulnerability is fixed by disabling inline Lua sources by default. 2. Restrict the ability to create or modify Lua filters to trusted administrators only, especially in Kubernetes Ingress configurations. 3. Implement strict RBAC policies in Kubernetes to prevent untrusted users from injecting Lua scripts or modifying ingress resources. 4. Monitor and audit Skipper logs and Kubernetes ingress configurations for unauthorized changes or suspicious Lua filter creation. 5. Use network segmentation and firewall rules to limit access to Skipper management interfaces. 6. Employ runtime security tools to detect anomalous Lua script executions or filesystem access patterns by the Skipper process. 7. Regularly review and rotate secrets accessible to Skipper to minimize exposure in case of compromise. 8. Conduct penetration testing and vulnerability scanning focused on ingress controllers and reverse proxies to detect similar misconfigurations or vulnerabilities.