CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-8QQM-FP2Q-V734

GHSA-8QQM-FP2Q-V734: Authorization Bypass in Skipper's Open Policy Agent Integration

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 17, 2026·6 min read·3 visits

Executive Summary (TL;DR)

Oversized HTTP request bodies skip Skipper's OPA inspection filter but are still forwarded intact to backend microservices, causing deny-on-presence authorization checks to fail open.

An authorization bypass vulnerability in the Open Policy Agent (OPA) integration of the Skipper HTTP router allows unauthenticated remote attackers to bypass OPA policy inspection. When an incoming HTTP request declares a Content-Length exceeding Skipper's configured maxBodyBytes limit, Skipper bypasses body parsing and forwards an empty document to OPA, while transmitting the full, uninspected payload intact to the upstream backend.

Vulnerability Overview

Skipper is a high-performance HTTP router and reverse proxy commonly deployed as a Kubernetes Ingress controller or standalone API gateway. Within its security features, Skipper provides an opaAuthorizeRequestWithBody filter that extracts incoming HTTP request bodies and forwards them to an Open Policy Agent (OPA) decision engine to enforce content-based security policies.

These policies often inspect incoming payloads to block restricted parameters, privilege-escalation fields, or unauthorized administrative actions. Under normal operating conditions, requests with bodies are fully buffered and decoded into JSON structures before evaluation.

However, GHSA-8QQM-FP2Q-V734 represents an incomplete fix for a security bypass flaw. When a request declares a Content-Length larger than the configured maximum limit (maxBodyBytes), the proxy completely skips body inspection but continues to route the entire request downstream. This structural discrepancy allows an attacker to bypass critical security controls entirely.

Root Cause Analysis

To understand the root cause of GHSA-8QQM-FP2Q-V734, it is necessary to examine the patch introduced for CVE-2026-50197 in commit 3152f3b0bb52ca89c3564be42434db0a2a1cea23. The initial vulnerability occurred because chunked encoding set req.ContentLength to -1, which bypassed the buffer initialization in fillBuffer and returned an empty body to OPA.

The developers corrected this behavior by introducing an expectedSize variable that normalized negative lengths to the configured maximum body limit. However, they failed to account for situations where expectedSize exceeds the configured buffer limit (maxBodyBytes).

When a request has a positive Content-Length larger than maxBodyBytes, the conditional gate expectedSize <= int64(opa.maxBodyBytes) evaluates to false. Skipper then drops execution down to the end of the ExtractHttpBodyOptionally helper, returning a nil raw body slice to the authorization filter. Consequently, OPA receives an empty document and defaults to allowing the transaction, while Skipper forwards the original unconsumed HTTP request body directly to the upstream server.

Code Analysis

The vulnerability lives within the extraction routine inside filters/openpolicyagent/openpolicyagent.go. The logic block before and after the original fix illustrates the incomplete validation path.

// Vulnerable logic flow prior to fix
func (opa *OpenPolicyAgentInstance) ExtractHttpBodyOptionally(req *http.Request) (io.ReadCloser, []byte, func(), error) {
    body := req.Body
    if body != nil && !opa.EnvoyPluginConfig().SkipRequestBodyParse &&
        req.ContentLength <= int64(opa.maxBodyBytes) {
        wrapper := newBufferedBodyReader(req.Body, opa.maxBodyBytes, opa.bodyReadBufferSize)
        requestedBodyBytes := bodyUpperBound(req.ContentLength, opa.maxBodyBytes)
        // ...
        rawBody, err := wrapper.fillBuffer(req.ContentLength)
        return wrapper, rawBody, func() {}, err
    }
    return req.Body, nil, func() {}, nil
}

The patch modified the function to explicitly normalize expectedSize as follows:

 func (opa *OpenPolicyAgentInstance) ExtractHttpBodyOptionally(req *http.Request) (io.ReadCloser, []byte, func(), error) {
 	body := req.Body
 
+	expectedSize := req.ContentLength
+	if expectedSize < 0 {
+		expectedSize = opa.maxBodyBytes
+	}
+
 	if body != nil && !opa.EnvoyPluginConfig().SkipRequestBodyParse &&
-		req.ContentLength <= int64(opa.maxBodyBytes) {
+		expectedSize <= int64(opa.maxBodyBytes) {
 
 		wrapper := newBufferedBodyReader(req.Body, opa.maxBodyBytes, opa.bodyReadBufferSize)
 
-		requestedBodyBytes := bodyUpperBound(req.ContentLength, opa.maxBodyBytes)
+		requestedBodyBytes := bodyUpperBound(expectedSize, opa.maxBodyBytes)
 		if !opa.registry.maxMemoryBodyParsingSem.TryAcquire(requestedBodyBytes) {
 			return req.Body, nil, func() {}, ErrTotalBodyBytesExceeded
 		}
 
-		rawBody, err := wrapper.fillBuffer(req.ContentLength)
+		rawBody, err := wrapper.fillBuffer(expectedSize)
 		return wrapper, rawBody, func() { opa.registry.maxMemoryBodyParsingSem.Release(requestedBodyBytes) }, err
 	}
 
 	return req.Body, nil, func() {}, nil
 }

While normalizing negative values prevents the chunked transport bypass, it introduces a strict path where an explicitly oversized header skips the entire block. Because the check fails, the execution falls through to return req.Body, nil, func() {}, nil. The proxy returns the uninspected request body to the transport layer, but hands a nil raw slice to OPA, leading to a silent security failure.

Exploitation Methodology

To exploit this authorization bypass, an attacker must craft an HTTP request that intentionally exceeds Skipper's configured maxBodyBytes limit. This limit is often configured to a standard value (such as 1 MB) or can be determined experimentally.

First, the attacker identifies a destination API route protected by an OPA blocklist policy. A common scenario is a Rego rule that blocks the value "action": "delete" in the request body. If the policy is written as allow-by-default, any evaluation where input.parsed_body is empty will bypass the restriction.

Next, the attacker constructs a payload that performs the forbidden action and appends high-volume junk characters or whitespace as padding until the raw request size exceeds the limit. The attacker transmits this request with a precise Content-Length header matching the padded payload size.

POST /admin HTTP/1.1
Host: target-gateway.local
Content-Type: application/json
Content-Length: 2000000
Connection: close
 
{"action":"delete","padding":"AAAAAA..."}

Because the request size exceeds the configured maximum, Skipper skips body buffering, passes a nil body to OPA, and OPA evaluates the request as safe. The proxy then forwards the full, malicious payload to the upstream backend service, where the operation executes successfully.

Impact Assessment

This vulnerability has high severity because it enables complete authorization bypass on any endpoints relying on request-body policies. Organizations using Skipper as an ingress router to enforce compliance, API access boundaries, or data sanitization are vulnerable to remote, unauthenticated privilege escalation.

If the OPA configuration employs a blocklist (or a deny-on-presence design), any request that exceeds the buffer size limit will fail-open. Because of this, untrusted users can perform administrative actions, modify configurations, or inject malicious payloads into backend microservices.

Furthermore, the physical routing behavior remains completely unaffected by this condition. The upstream backend processes the fully formed, malicious body because Skipper forwards the untouched, original body stream (req.Body). This results in a classic request-interpretation mismatch between the proxy gateway and the internal backend services.

Remediation and Mitigation Guidance

The primary remediation is upgrading to Skipper version 0.27.26 or later, which correctly identifies and communicates the body truncation state. To ensure complete protection, administrators must also update their OPA policy rules to fail closed when request bodies are omitted.

Security teams must modify existing Rego policies to check the input.attributes.request.http.truncated_body flag. If this property is set to true, the policy must explicitly deny the request to prevent uninspected payloads from reaching the backend.

package envoy.authz
import rego.v1
 
default allow := false
 
# Fail closed if the body has been truncated or omitted
allow := false if {
    input.attributes.request.http.truncated_body == true
}
 
# Standard evaluation logic
allow := true if {
    not input.attributes.request.http.truncated_body
    input.parsed_body.action != "delete"
}

If upgrading is not immediately possible, temporary workarounds include enforcing payload limits at the web application firewall (WAF) layer or reducing the backend's accepted content size to match Skipper's maxBodyBytes setting.

Fix Analysis (1)

Technical Appendix

CVSS Score
8.2/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected Systems

Skipper Ingress Controller / Proxy
AttributeDetail
CWE IDCWE-863
Attack VectorNetwork
CVSS Score8.2
Exploit StatusPoC Available
Affected Componentfilters/openpolicyagent
Fixed Versionv0.27.26

MITRE ATT&CK Mapping

T1548Abuse Elevation Control Mechanism
Privilege Escalation
T1133External Remote Services
Initial Access
CWE-863
Incorrect Authorization

The software performs authorization checks but makes the decision based on incomplete or manipulated input data, leading to an unauthorized action being executed downstream.

Vulnerability Timeline

Incomplete fix commit merged
2026-06-01
Original CVE advisory published
2026-07-17
Secondary bypass identified and GHSA-8QQM-FP2Q-V734 published
2026-07-17
Skipper v0.27.26 released with mitigation documentation
2026-07-17

References & Sources

  • [1]GHSA-8QQM-FP2Q-V734 Advisory
  • [2]GHSA-659f-rgp5-w4wf Advisory
  • [3]Code Fix Commit
  • [4]Official PR 4041
  • [5]Skipper v0.27.26 Release
Related Vulnerabilities
CVE-2026-50197

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•26 minutes ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
0 views•7 min read
•about 6 hours ago•CVE-2026-53597
8.7

CVE-2026-53597: Remote Code Execution in Microsoft prompty via Insecure gray-matter Parsing

CVE-2026-53597 is a high-severity code injection vulnerability in Microsoft's prompty library, specifically affecting the TypeScript loader (@prompty/core). Due to an insecure default configuration in the underlying gray-matter metadata parser, processing untrusted prompt files containing executable JavaScript blocks inside the frontmatter results in arbitrary remote code execution within the security context of the parent Node.js process.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 7 hours ago•GHSA-RJWR-M7QX-3FJR
8.6

GHSA-RJWR-M7QX-3FJR: Code Generation Injection in oapi-codegen

An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.

Alon Barad
Alon Barad
6 views•7 min read
•about 8 hours ago•CVE-2026-55646
6.5

CVE-2026-55646: Remote Denial of Service via Memory Exhaustion in vLLM Speech-to-Text Endpoints

A severe denial-of-service (DoS) vulnerability exists in the speech-to-text API endpoints of the vLLM serving engine from version 0.22.0 to 0.23.0. The flaw is triggered by the direct deserialization and reading of uploaded files into RAM prior to validating file-size limits. An authenticated attacker can exploit this behavior by submitting large file payloads, causing resource starvation and forcing the operating system kernel to terminate the serving process.

Alon Barad
Alon Barad
7 views•5 min read
•about 9 hours ago•CVE-2026-34760
5.9

CVE-2026-34760: Adversarial Prompt Injection via Unweighted Audio Downmixing in vLLM

An improper input validation vulnerability (CWE-20) exists in vLLM versions 0.5.5 through 0.17.2 when processing multi-channel audio tracks. By relying on librosa's flat arithmetic mean instead of physical downmixing standards, vLLM blends sub-audible low-frequency or surround channels with equal weight. This enables an attacker to inject adversarial prompt sequences that bypass human moderation but are parsed clearly by speech-to-text models.

Amit Schendel
Amit Schendel
7 views•8 min read
•about 14 hours ago•GHSA-GGXF-9F6J-W742
5.3

GHSA-GGXF-9F6J-W742: Use-After-Free in Diesel SQLite Deserialization

A memory unsoundness vulnerability exists in the Diesel ORM crate when deserializing SQLite databases from raw bytes. The flaw is caused by a failure to bind the lifetime of the input buffer to the lifetime of the connection object, resulting in a Use-After-Free condition in the underlying libsqlite3 C library when subsequent queries are executed.

Alon Barad
Alon Barad
4 views•6 min read