CVE-2026-23742

Name of the Vulnerable Software and Affected Versions Skipper versions prior to 0.23.0

Description Skipper is an HTTP router and reverse proxy for service composition. The default configuration before version 0.23.0, specifically -lua-sources=inline,file, allowed untrusted users to create Lua filters. This configuration enabled the creation of scripts capable of reading the filesystem accessible to the Skipper process. If a user had access to read logs, they could potentially read Skipper secrets. The issue arises when untrusted users can create Lua filters, for example, through a Kubernetes Ingress resource. An example Lua script could read the Kubernetes service account token from '/var/run/secrets/kubernetes.io/serviceaccount/token' and exfiltrate it via error logs. The vulnerability allows for arbitrary code execution through Lua filters.

Recommendations Update Skipper to version 0.23.0 or later. As a workaround, configure Lua sources to only allow files by using -lua-sources=file, which limits exploitation to scenarios where an attacker can create a Lua script file on the target system.