SecBoard
Zurück zur CVE-Übersicht

CVE-2026-50197

NONE
Risk Signal Score10/100 — NIEDRIG
  • Weniger als 24 Stunden alt

Beschreibung

Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the opaAuthorizeRequestWithBody filter and OpenPolicyAgentInstance.ExtractHttpBodyOptionally in filters/openpolicyagent/openpolicyagent.go produce an empty raw_body and input.parsed_body while the upstream service receives the full attacker-controlled body. This issue is fixed in version 0.26.10.

GitHub Advisories

GHSA-659f-rgp5-w4wfHIGH

Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests

go/github.com/zalando/skipper0.26.10
GitHub Advisory

Referenzen