CVE-2026-50197
Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding: chunked / HTTP/2 requests
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the opaAuthorizeRequestWithBody filter and OpenPolicyAgentInstance.ExtractHttpBodyOptionally in filters/openpolicyagent/openpolicyagent.go produce an empty raw_body and input.parsed_body while the upstream service receives the full attacker-controlled body. This issue is fixed in version 0.26.10.
| CWE | CWE-444 |
| Vendor | zalando |
| Product | skipper |
| Published | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for zalando skipper
Be the first to know when new unknown vulnerabilities affecting zalando skipper are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
zalando / skipper
< 0.26.10
References
github.com: https://github.com/zalando/skipper/security/advisories/GHSA-659f-rgp5-w4wf github.com: https://github.com/zalando/skipper/pull/4041 github.com: https://github.com/zalando/skipper/commit/3152f3b0bb52ca89c3564be42434db0a2a1cea23 github.com: https://github.com/zalando/skipper/releases/tag/v0.26.10