CVE-2026-24470

Name of the Vulnerable Software and Affected Versions Skipper versions prior to 0.24.0

Description Skipper is an HTTP router and reverse proxy for service composition. When operating as an Ingress controller, users with the ability to create Ingress resources and Services of type ExternalName can establish routes that leverage Skipper’s network access to reach internal services. This can potentially allow unauthorized access to internal services. The issue arises from the handling of Kubernetes ExternalName services.

Recommendations Update to version 0.24.0 or later. As a workaround, use the -kubernetes-only-allowed-external-names=true flag. As a workaround, allow list targets of an ExternalName using regular expressions with the -kubernetes-allowed-external-name '^[a-z][a-z0-9-.]+[.].allowed.example$' flag.