Cyber Resilience

CVE-2026-23742

HighPublic PoCRCE

Published: 16 January 2026

Published
16 January 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 37.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23742 is a high-severity Code Injection (CWE-94) vulnerability in Zalando Skipper. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-23742 affects Skipper, an HTTP router and reverse proxy for service composition, in versions before 0.23.0. The vulnerability stems from the default configuration flag -lua-sources=inline,file, which permits the execution of inline Lua scripts. If untrusted users can create Lua filters—such as through a Kubernetes Ingress resource—they can inject scripts that access the filesystem available to the Skipper process. Additionally, if attackers can read Skipper logs, they can extract skipper secrets. The issue is associated with CWEs-94 (code injection), CWE-250 (execution with unnecessary privileges), and CWE-522 (insufficiently protected credentials), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers require low privileges (PR:L) and can exploit this remotely over the network (AV:N) with low complexity and no user interaction. A malicious user with the ability to create Lua filters can execute arbitrary code to read sensitive filesystem contents accessible to the Skipper process. If they also have log access, they can retrieve skipper secrets, potentially leading to high confidentiality, integrity, and availability impacts.

The vulnerability is fixed in Skipper version 0.23.0. Official mitigation guidance is available in the GitHub security advisory (GHSA-cc8m-98fm-rc9g), the release notes for v0.23.0, and the fixing commit (0b52894570773b29e2f3c571b94b4211ef8fa714), which recommend updating to the patched version and avoiding the vulnerable default Lua source configuration.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource.…

more

The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.011 Lua Execution
Adversaries may abuse Lua commands and scripts for execution.
Why these techniques?

Vulnerability in public-facing Skipper proxy directly enables remote code execution via injected Lua filters (T1190 + T1059.011).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24470Same product: Zalando Skipper
CVE-2026-44403Shared CWE-94
CVE-2026-22771Shared CWE-94
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94

Affected Assets

zalando
skipper
≤ 0.23.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching to Skipper version 0.23.0, which fixes the insecure default Lua configuration.

prevent

Enforces secure configuration settings to disable or restrict the vulnerable -lua-sources=inline,file default, preventing execution of untrusted Lua scripts.

prevent

Limits system to least functionality by prohibiting unnecessary Lua scripting capabilities that enable code injection from untrusted sources like Kubernetes Ingress.

References