CVE-2026-50197
Received Received - Intake

OpenPolicyAgent Bypass in Skipper HTTP Router

Vulnerability report for CVE-2026-50197, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the opaAuthorizeRequestWithBody filter and OpenPolicyAgentInstance.ExtractHttpBodyOptionally in filters/openpolicyagent/openpolicyagent.go produce an empty raw_body and input.parsed_body while the upstream service receives the full attacker-controlled body. This issue is fixed in version 0.26.10.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
zalando skipper to 0.26.10 (exc)
zalando skipper to 0.26.10 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Skipper (versions 0.26.9 and earlier) allows bypassing Open Policy Agent (OPA) authorization checks when processing HTTP requests with Transfer-Encoding: chunked or HTTP/2 requests without a Content-Length header. The OPA filter fails to inspect the actual request body in these cases, sending an empty body to OPA while the real payload bypasses inspection and reaches the upstream service.

Detection Guidance

To detect this vulnerability, check if your Skipper instance is running a version prior to 0.26.10. Use the command: skipper version. If the version is below 0.26.10, the system is vulnerable. Additionally, inspect network traffic for HTTP/1.1 requests with Transfer-Encoding: chunked or HTTP/2 requests without a content-length header that bypass OPA policies.

Impact Analysis

Attackers could send malicious requests with unauthorized payloads (e.g., admin=true) that bypass OPA policies. This could allow unauthorized access to protected resources or actions, compromising the security of the system relying on Skipper for authorization.

Compliance Impact

This vulnerability could lead to unauthorized data access or modification, violating compliance requirements for data protection (e.g., GDPR's integrity and confidentiality principles or HIPAA's access controls). Organizations relying on OPA for policy enforcement may fail to meet regulatory standards due to this bypass.

Mitigation Strategies

Upgrade Skipper to version 0.26.10 or later immediately. Use the command: docker pull ghcr.io/zalando/skipper:v0.26.10 or update your installation. Verify the upgrade with skipper version. Ensure OPA policies are correctly enforced for all request types, including chunked and HTTP/2 requests.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50197. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart