CVE-2026-50197 with a CVSS score of 8.7 is a vulnerability affecting github.com/zalando/skipper versions < 0.26.10 affecting github.com/zalando/skipper versions `github in Zalando's Skipper, which silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the Content-Length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the OpenPolicyAgentInstance.ExtractHttpBodyOptionally helper produces an empty raw_body for any request whose Content-Length header is missing, while the underlying chunked body still flows through to the upstream service. Rego policies that gate on input.parsed_body evaluate against an empty document, treat the forbidden field as absent, and authorize the request. The upstream handler then receives the full attacker payload that the policy intended to block.
We recommend you to update zalando/skipper to version 0.26.10.[/subscribe_to_unlock_form]
CVE-2026-50197 with a CVSS score of 8.7 is a vulnerability affecting github.com/zalando/skipper versions < 0.26.10 affecting github.com/zalando/skipper versions `github in Zalando's Skipper, which silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the Content-Length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the OpenPolicyAgentInstance.ExtractHttpBodyOptionally helper produces an empty raw_body for any request whose Content-Length header is missing, while the underlying chunked body still flows through to the upstream service. Rego policies that gate on input.parsed_body evaluate against an empty document, treat the forbidden field as absent, and authorize the request. The upstream handler then receives the full attacker payload that the policy intended to block.
We recommend you to update zalando/skipper to version 0.26.10.[emaillocker id="1283"]
The following reports contain further technical details:
[/emaillocker]