CVE-2026-24470
Published: 26 January 2026
Summary
CVE-2026-24470 is a high-severity Confused Deputy (CWE-441) vulnerability in Zalando Skipper. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-4 enforces approved information flow policies within Skipper to prevent unauthorized proxying of external requests to internal services via crafted Ingress and ExternalName routes.
SC-7 monitors and controls communications at the Kubernetes ingress boundary to block Skipper's network access to unintended internal services targeted by ExternalName exploitation.
CM-6 establishes secure configuration settings for Skipper, such as disabling ExternalName services by default or implementing target allowlists, directly mitigating the SSRF vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables exploitation of the public-facing Skipper Ingress controller (via malicious Ingress + ExternalName resources) to reach internal services, matching T1190 Exploit Public-Facing Application. SSRF/CWE-918 classification and resulting internal access confirm the mapping; no other techniques are directly facilitated by the described flaw.
NVD Description
Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable…
more
them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions.
Deeper analysisAI
CVE-2026-24470 affects Skipper, an HTTP router and reverse proxy used for service composition, specifically when deployed as a Kubernetes Ingress controller in versions prior to 0.24.0. The vulnerability arises from the ability of authorized users to create Kubernetes Ingress resources paired with Services of type ExternalName, allowing them to craft routes that leverage Skipper's network access to reach otherwise internal services. This issue is classified under CWE-441 (Unintended Proxy or Intermediary) and CWE-918 (Server-Side Request Forgery), with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low complexity, and low privileges required.
An attacker with permissions to create Ingress and ExternalName Services—typically a low-privileged Kubernetes user—can exploit this by defining routes that proxy requests through Skipper to internal services not intended for external exposure. Successful exploitation enables unauthorized access to sensitive internal endpoints, potentially leading to high confidentiality and integrity impacts, such as data exfiltration or modification, without requiring user interaction or elevated privileges beyond resource creation.
Mitigation is addressed in Skipper version 0.24.0, which disables support for Kubernetes ExternalName Services by default. As a workaround prior to upgrading, operators can implement an allow list for ExternalName targets, including support for regular expressions, to restrict reachable services. Relevant advisories and the fixing commit are detailed in the Skipper GitHub security advisory (GHSA-mxxc-p822-2hx9) and commit a4c87ce029a58eb8e1c2c1f93049194a39cf6219, with additional context on ExternalName Services in Kubernetes documentation.
Details
- CWE(s)