CVE-2026-24470 (GCVE-0-2026-24470)

Vulnerability from cvelistv5 – Published: 2026-01-26 22:23 – Updated: 2026-01-27 14:51
VLAI
Title
Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName
Summary
Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions.
Severity
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
Vendor Product Version
zalando skipper Affected: < 0.24.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24470",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-27T14:50:06.337869Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-27T14:51:35.229Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "skipper",
          "vendor": "zalando",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.24.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper\u0027s network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-26T22:23:43.325Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9"
        },
        {
          "name": "https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219"
        },
        {
          "name": "https://kubernetes.io/docs/concepts/services-networking/service/#externalname",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://kubernetes.io/docs/concepts/services-networking/service/#externalname"
        }
      ],
      "source": {
        "advisory": "GHSA-mxxc-p822-2hx9",
        "discovery": "UNKNOWN"
      },
      "title": "Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24470",
    "datePublished": "2026-01-26T22:23:43.325Z",
    "dateReserved": "2026-01-23T00:38:20.546Z",
    "dateUpdated": "2026-01-27T14:51:35.229Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-24470",
      "date": "2026-06-29",
      "epss": "0.00267",
      "percentile": "0.18242"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-24470\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-26T23:16:09.123\",\"lastModified\":\"2026-06-17T10:23:07.030\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper\u0027s network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions.\"},{\"lang\":\"es\",\"value\":\"Skipper es un router HTTP y proxy inverso para la composici\u00f3n de servicios. Antes de la versi\u00f3n 0.24.0, al ejecutar Skipper como un controlador Ingress, los usuarios con permisos para crear un Ingress y un Servicio de tipo ExternalName pueden crear rutas que les permiten usar el acceso de red de Skipper para alcanzar servicios internos. La versi\u00f3n 0.24.0 deshabilita Kubernetes ExternalName por defecto. Como soluci\u00f3n alternativa, los desarrolladores pueden incluir en la lista de permitidos los objetivos de un ExternalName e incluir en la lista de permitidos mediante expresiones regulares.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"zalando\",\"product\":\"skipper\",\"versions\":[{\"version\":\"\u003c 0.24.0\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-27T14:50:06.337869Z\",\"id\":\"CVE-2026-24470\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-441\"},{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zalando:skipper:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.24.0\",\"matchCriteriaId\":\"DEBBEB5D-B41E-48C3-BF83-F5018AAA9D12\"}]}]}],\"references\":[{\"url\":\"https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://kubernetes.io/docs/concepts/services-networking/service/#externalname\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24470\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-27T14:50:06.337869Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-27T14:51:31.267Z\"}}], \"cna\": {\"title\": \"Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName\", \"source\": {\"advisory\": \"GHSA-mxxc-p822-2hx9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"zalando\", \"product\": \"skipper\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.24.0\"}]}], \"references\": [{\"url\": \"https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9\", \"name\": \"https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219\", \"name\": \"https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://kubernetes.io/docs/concepts/services-networking/service/#externalname\", \"name\": \"https://kubernetes.io/docs/concepts/services-networking/service/#externalname\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper\u0027s network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-441\", \"description\": \"CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-26T22:23:43.325Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24470\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-27T14:51:35.229Z\", \"dateReserved\": \"2026-01-23T00:38:20.546Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-26T22:23:43.325Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.