Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/zalando/skipper
  4. ›
  5. CVE-2026-50197

CVE-2026-50197: Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests

July 8, 2026

zalando/skipper’s OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the OpenPolicyAgentInstance.ExtractHttpBodyOptionally helper produces an empty raw_body for any request whose Content-Length header is missing, while the underlying chunked body still flows through to the upstream service. Rego policies that gate on input.parsed_body (e.g. “deny when a forbidden field is present”) evaluate against an empty document, treat the forbidden field as absent, and authorize the request. The upstream handler then receives the full attacker payload that the policy intended to block.

References

  • github.com/advisories/GHSA-659f-rgp5-w4wf
  • github.com/zalando/skipper/security/advisories/GHSA-659f-rgp5-w4wf
  • nvd.nist.gov/vuln/detail/CVE-2026-50197

Code Behaviors & Features

Detect and mitigate CVE-2026-50197 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.26.10

Fixed versions

  • 0.26.10

Solution

Upgrade to version 0.26.10 or above.

Impact 10 CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Learn more about CVSS

Weakness

  • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Source file

go/github.com/zalando/skipper/CVE-2026-50197.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 09 Jul 2026 12:19:22 +0000.