Description
Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the opaAuthorizeRequestWithBody filter and OpenPolicyAgentInstance.ExtractHttpBodyOptionally in filters/openpolicyagent/openpolicyagent.go produce an empty raw_body and input.parsed_body while the upstream service receives the full attacker-controlled body. This issue is fixed in version 0.26.10.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-659f-rgp5-w4wf | Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests |
References
History
Fri, 17 Jul 2026 22:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Zalando
Zalando skipper |
|
| Vendors & Products |
Zalando
Zalando skipper |
Fri, 17 Jul 2026 20:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the opaAuthorizeRequestWithBody filter and OpenPolicyAgentInstance.ExtractHttpBodyOptionally in filters/openpolicyagent/openpolicyagent.go produce an empty raw_body and input.parsed_body while the upstream service receives the full attacker-controlled body. This issue is fixed in version 0.26.10. | |
| Title | Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding: chunked / HTTP/2 requests | |
| Weaknesses | CWE-444 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T19:23:43.574Z
Reserved: 2026-06-03T22:05:13.645Z
Link: CVE-2026-50197
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T21:45:03Z
Weaknesses
-
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Github GHSA