CVE-2026-24470 is a vulnerability classified under CWE-441 (Unintended Proxy or Intermediary, also known as 'Confused Deputy') and CWE-918, affecting Zalando's Skipper HTTP router and reverse proxy used for service composition and Kubernetes Ingress control. Prior to version 0.24.0, Skipper allowed users with permissions to create Kubernetes Ingress resources and Services of type ExternalName to exploit the proxy functionality to access internal services that would otherwise be inaccessible due to network segmentation or firewall rules. This occurs because Skipper, when acting as an Ingress controller, does not restrict or validate ExternalName targets, enabling an attacker with limited Kubernetes permissions to route traffic through Skipper’s network access. This can lead to unauthorized access to sensitive internal services, potentially exposing confidential data or allowing manipulation of internal service responses, thus impacting confidentiality and integrity. The vulnerability does not require user interaction and can be exploited remotely with low complexity, given the attacker has the ability to create Ingress and ExternalName Service resources. Version 0.24.0 of Skipper mitigates this by disabling ExternalName Services by default, and further mitigation can be achieved by allow-listing ExternalName targets or using regular expressions to restrict allowed destinations. No known exploits are reported in the wild yet, but the high CVSS score of 8.1 reflects the significant risk posed by this vulnerability in cloud-native Kubernetes environments.

For European organizations, especially those leveraging Kubernetes and cloud-native architectures with Skipper as an Ingress controller, this vulnerability poses a serious risk. Attackers with limited Kubernetes permissions can pivot through Skipper to access internal services that are otherwise protected by network segmentation, potentially leading to data breaches, unauthorized data manipulation, or lateral movement within the network. This can compromise sensitive business data, intellectual property, or customer information, violating GDPR and other data protection regulations. The confidentiality and integrity of internal services are at high risk, while availability is not directly impacted. Organizations in sectors such as finance, healthcare, and critical infrastructure, which rely heavily on Kubernetes for scalable service deployment, are particularly vulnerable. The ability to exploit this vulnerability without user interaction and with low privilege requirements increases the likelihood of exploitation in multi-tenant or shared Kubernetes environments common in European cloud providers.

European organizations should immediately upgrade Skipper to version 0.24.0 or later to benefit from the default disabling of ExternalName Services. Until the upgrade is applied, administrators should implement strict allow-listing of ExternalName targets using Skipper’s configuration options, employing regular expressions to tightly control which external services can be referenced. Kubernetes Role-Based Access Control (RBAC) policies should be reviewed and tightened to restrict permissions for creating Ingress and ExternalName Service resources only to trusted users and service accounts. Network segmentation and firewall rules should be enforced to limit Skipper’s outbound network access where possible. Continuous monitoring and auditing of Kubernetes resource creation events can help detect unauthorized attempts to create potentially malicious Ingress or ExternalName Services. Additionally, organizations should consider deploying runtime security tools that monitor and alert on anomalous proxying behavior within the cluster. Finally, educating DevOps and security teams about this vulnerability will help ensure rapid detection and response.