๐Ÿ” CVE Alert

CVE-2026-50197

UNKNOWN 0.0

Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding: chunked / HTTP/2 requests

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the opaAuthorizeRequestWithBody filter and OpenPolicyAgentInstance.ExtractHttpBodyOptionally in filters/openpolicyagent/openpolicyagent.go produce an empty raw_body and input.parsed_body while the upstream service receives the full attacker-controlled body. This issue is fixed in version 0.26.10.

CWE CWE-444
Vendor zalando
Product skipper
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for zalando skipper

Be the first to know when new unknown vulnerabilities affecting zalando skipper are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

zalando / skipper
< 0.26.10

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/zalando/skipper/security/advisories/GHSA-659f-rgp5-w4wf github.com: https://github.com/zalando/skipper/pull/4041 github.com: https://github.com/zalando/skipper/commit/3152f3b0bb52ca89c3564be42434db0a2a1cea23 github.com: https://github.com/zalando/skipper/releases/tag/v0.26.10