CVE-2026-23742

Skipper's Sinking Ship: Arbitrary Code Execution via Lua Filters

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 17, 2026·5 min read·4 visits

Executive Summary (TL;DR)

In versions prior to 0.23.0, Skipper enabled its Lua scripting engine by default and permitted 'inline' code sources. Attackers with the ability to configure routes (e.g., via Kubernetes Ingress) could inject malicious Lua scripts to read sensitive files—such as Kubernetes Service Account tokens—or execute system commands, leading to potential cluster compromise.

Zalando Skipper, a popular HTTP router and reverse proxy, suffered from a critical 'insecure by default' configuration that allowed arbitrary Lua code execution. By enabling inline script sources without adequate sandboxing, the tool essentially handed a loaded gun to anyone with the ability to define routing filters.

Official Patches

ZalandoSkipper v0.23.0 Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

Zalando Skipper HTTP RouterKubernetes Clusters using Skipper as Ingress Controller

Affected Versions Detail

Product
Affected Versions
Fixed Version
Skipper
Zalando
< 0.23.00.23.0
AttributeDetail
CWE IDCWE-94 (Code Injection)
CVSS v3.18.8 (High)
Attack VectorNetwork (via Config/Ingress)
Privileges RequiredLow (Ingress Creation)
ImpactArbitrary Code Execution / Information Disclosure
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter
Execution
T1552Unsecured Credentials
Credential Access
T1005Data from Local System
Collection
CWE-94
Code Injection

Improper Control of Generation of Code ('Code Injection')

Known Exploits & Detection

Research ReportLua inline script to read service account token

Vulnerability Timeline

Vulnerability Published
2026-01-16
Patch v0.23.0 Released
2026-01-16

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.