PT-2026-60892 · Go · Github.Com/Zalando/Skipper

CVE-2026-54246

·

Published

2026-07-17

·

Updated

2026-07-17

CVSS v3.1

5.7

Medium

VectorAV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

The routesrv component exposes the full cluster route topology (Ingress/RouteGroup configurations, backend URLs, filter chains, OAuth/OIDC callback paths) and cache-cluster topology (Redis/Valkey shard addresses) over plain HTTP with zero authentication. Any pod in the Kubernetes cluster can reach routesrv via its predictable DNS name and retrieve sensitive cluster-wide routing and cache infrastructure data.

Vulnerable Code

routesrv/routesrv.go:87-99,114-137 — all handler registrations on the main mux:
go
mux.Handle("/routes", b)     // eskipBytes.ServeHTTP — all route data
mux.Handle("/routes/{zone}", b)  // zone-scoped route data
mux.Handle("/swarm/redis/shards", rh)  // Redis cluster addresses
mux.Handle("/swarm/valkey/shards", vh) // Valkey cluster addresses
routesrv/eskipbytes.go:134-196eskipBytes.ServeHTTP:
go
func (e *eskipBytes) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
  // ... only checks GET/HEAD method, NO auth check
  if r.Method != "GET" && r.Method != "HEAD" {
    w.WriteHeader(http.StatusMethodNotAllowed)
    return
  }
  // ... serves all route data immediately
}
routesrv/redishandler.go:28-41RedisHandler.ServeHTTP:
go
func (rh *RedisHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
  if r.Method != "GET" {
    w.WriteHeader(http.StatusMethodNotAllowed)
    return
  }
  // ... serves Redis cluster addresses immediately, NO auth check
}
routesrv/valkeyhandler.go:28-41ValkeyHandler.ServeHTTP:
go
func (vh *ValkeyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
  if r.Method != "GET" {
    w.WriteHeader(http.StatusMethodNotAllowed)
    return
  }
  // ... serves Valkey cluster addresses immediately, NO auth check
}

Attack Path

  1. Initial Compromise: Attacker compromises any pod in the Kubernetes cluster (via application CVE, supply-chain attack, malicious container image, etc.)
  2. Discovery: Attacker discovers routesrv via predictable Kubernetes DNS name: skipper-ingress-routesrv.kube-system.svc.cluster.local:9090 (documented at docs/tutorials/operations.md:108, docs/tutorials/ratelimit.md:137,197)
  3. Data Extraction without Auth:
  • GET http://<routesrv>:9090/routes → All Ingress/RouteGroup configurations across ALL namespaces
  • GET http://<routesrv>:9090/swarm/redis/shards → Redis cache cluster node addresses
  • GET http://<routesrv>:9090/swarm/valkey/shards → Valkey cache cluster node addresses
  1. Subsequent Attacks: With cache cluster topology, attacker can perform direct cache-level attacks (ratelimit data manipulation, session data exfiltration)

Permission Boundary Analysis

The routesrv uses a ServiceAccount with cluster-wide RBAC to list Ingress (networking.k8s.io), RouteGroup (zalando.org), Endpoints, and Services across all namespaces (see clusterclient.go:648-653 fetchClusterState). The kube-apiserver requires proper ServiceAccount token + RBAC authorization for the Kubernetes API itself, but routesrv exposes the aggregated data over HTTP with zero authentication.
A compromised pod with limited RBAC (restricted to its own namespace) can bypass Kubernetes RBAC entirely by reading routesrv. This crosses the boundary from "namespace-scoped Kubernetes workload with restricted RBAC" to "full cluster route topology across all namespaces".
No NetworkPolicy manifests exist in the deploy/ directory. The default Kubernetes flat network model allows any pod to reach any service, further widening the attack surface.

Exposed Data

EndpointData ExposedImpact
GET /routesAll ingress/routegroup backends: internal service URLs, filter chains (auth, rate limiting, OAuth, JWT, OPA policies), load balancer group membershipCluster-wide reconnaissance, targeted backend attacks
GET /routes/{zone}Zone-scoped subset of above route dataSame, scoped
GET /swarm/redis/shardsRedis cluster internal IP:port pairsDirect cache-level attacks, ratelimit data manipulation
GET /swarm/valkey/shardsValkey cluster internal IP:port pairsSame
Additionally, the data-plane client (eskipfile/remote.go:190-219) also performs plain HTTP GET with no credentials — only an ETag header is sent — confirming that no auth capability exists in the architecture at all.

Mitigation

  1. Add authentication to all routesrv HTTP endpoints (basic auth, bearer token, mTLS, or shared secret) via flag -route-server-filters=""
  2. Deploy Kubernetes NetworkPolicies restricting ingress to routesrv to only the data-plane skipper pod selectors
  3. Consider using mutual TLS authentication between data-plane and control-plane components

NetworkPolicy does not remove the missing-auth condition

Restrictive NetworkPolicies are a valid mitigation, but they are not an application-layer authentication mechanism. The security-relevant defect remains that routesrv serves control-plane-derived data to unauthenticated callers whenever network reachability exists.

Impact framing

This report does not rely on claiming direct integrity or availability impact. The verified issue is a confidentiality-focused control-plane exposure: route definitions, backend topology, filter-chain details, and Redis/Valkey shard addresses become readable to any reachable in-cluster client.

Resources

  • routesrv/routesrv.go:87-99 — handler registration (zero auth)
  • routesrv/eskipbytes.go:134-196 — route data handler (no auth)
  • routesrv/redishandler.go:28-41 — Redis shard handler (no auth)
  • routesrv/valkeyhandler.go:28-41 — Valkey shard handler (no auth)
  • dataclients/kubernetes/clusterclient.go:648-653fetchClusterState() — shows cluster-wide RBAC
  • eskipfile/remote.go:190-219 — data-plane client also has no auth capability
  • docs/tutorials/operations.md:108, docs/tutorials/ratelimit.md:137,197 — documented routesrv DNS name

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54246
GHSA-5587-2X54-JJ6H

Affected Products

Github.Com/Zalando/Skipper