CVE-2026-23742
Published: 16 January 2026
Summary
CVE-2026-23742 is a high-severity Code Injection (CWE-94) vulnerability in Zalando Skipper. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching to Skipper version 0.23.0, which fixes the insecure default Lua configuration.
Enforces secure configuration settings to disable or restrict the vulnerable -lua-sources=inline,file default, preventing execution of untrusted Lua scripts.
Limits system to least functionality by prohibiting unnecessary Lua scripting capabilities that enable code injection from untrusted sources like Kubernetes Ingress.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Skipper proxy directly enables remote code execution via injected Lua filters (T1190 + T1059.011).
NVD Description
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource.…
more
The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.
Deeper analysisAI
CVE-2026-23742 affects Skipper, an HTTP router and reverse proxy for service composition, in versions before 0.23.0. The vulnerability stems from the default configuration flag -lua-sources=inline,file, which permits the execution of inline Lua scripts. If untrusted users can create Lua filters—such as through a Kubernetes Ingress resource—they can inject scripts that access the filesystem available to the Skipper process. Additionally, if attackers can read Skipper logs, they can extract skipper secrets. The issue is associated with CWEs-94 (code injection), CWE-250 (execution with unnecessary privileges), and CWE-522 (insufficiently protected credentials), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers require low privileges (PR:L) and can exploit this remotely over the network (AV:N) with low complexity and no user interaction. A malicious user with the ability to create Lua filters can execute arbitrary code to read sensitive filesystem contents accessible to the Skipper process. If they also have log access, they can retrieve skipper secrets, potentially leading to high confidentiality, integrity, and availability impacts.
The vulnerability is fixed in Skipper version 0.23.0. Official mitigation guidance is available in the GitHub security advisory (GHSA-cc8m-98fm-rc9g), the release notes for v0.23.0, and the fixing commit (0b52894570773b29e2f3c571b94b4211ef8fa714), which recommend updating to the patched version and avoiding the vulnerable default Lua source configuration.
Details
- CWE(s)