Threat Advisory

Zalando Skipper Flaw Bypasses OPA Policy on Chunked HTTP/2 Requests

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50197 with a CVSS score of 8.7 is a vulnerability affecting github.com/zalando/skipper versions < 0.26.10 affecting github.com/zalando/skipper versions `github in Zalando's Skipper, which silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the Content-Length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the OpenPolicyAgentInstance.ExtractHttpBodyOptionally helper produces an empty raw_body for any request whose Content-Length header is missing, while the underlying chunked body still flows through to the upstream service. Rego policies that gate on input.parsed_body evaluate against an empty document, treat the forbidden field as absent, and authorize the request. The upstream handler then receives the full attacker payload that the policy intended to block.

RECOMMENDATION:

We recommend you to update zalando/skipper to version 0.26.10.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50197 with a CVSS score of 8.7 is a vulnerability affecting github.com/zalando/skipper versions < 0.26.10 affecting github.com/zalando/skipper versions `github in Zalando's Skipper, which silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the Content-Length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the OpenPolicyAgentInstance.ExtractHttpBodyOptionally helper produces an empty raw_body for any request whose Content-Length header is missing, while the underlying chunked body still flows through to the upstream service. Rego policies that gate on input.parsed_body evaluate against an empty document, treat the forbidden field as absent, and authorize the request. The upstream handler then receives the full attacker payload that the policy intended to block.

RECOMMENDATION:

We recommend you to update zalando/skipper to version 0.26.10.[emaillocker id="1283"]

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu