High severityOSV Advisory· Published Jan 26, 2026· Updated Jan 27, 2026
Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName
CVE-2026-24470
Description
Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/zalando/skipperGo | < 0.24.0 | 0.24.0 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/zalando/skipperpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.24.0+ 1 more
- (no CPE)range: < 0.24.0
- (no CPE)range: < 0.0.20260205T172317-150000.1.146.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-mxxc-p822-2hx9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24470ghsaADVISORY
- github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219ghsax_refsource_MISCWEB
- github.com/zalando/skipper/releases/tag/v0.24.0ghsaWEB
- github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9ghsax_refsource_CONFIRMWEB
- kubernetes.io/docs/concepts/services-networking/service/ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.