PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50197 zalando CVE debrief

CVE-2026-50197 is a vulnerability in Skipper, an HTTP router and reverse proxy for service composition. The vulnerability allows an attacker to send a full, attacker-controlled body to the upstream service due to the OpenPolicyAgent integration silently bypassing request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. This issue is fixed in version 0.26.10. Affected product or component is Skipper HTTP router and reverse proxy versions prior to 0.26.10. The vulnerability class is related to request-body inspection bypass. Likely operational impact includes potential security risks if not updated to the latest version. Source-confidence limits are based on the CVE record and NVD entry.

Vendor
zalando
Product
skipper
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of Skipper HTTP router and reverse proxy versions prior to 0.26.10 should update to the latest version to prevent potential security risks. Affected operators include those managing Skipper deployments. Platforms impacted include those using Skipper for service composition. Vulnerability-management and security teams should review and monitor HTTP requests and responses for potential security risks and implement additional security measures to prevent request-body inspection bypass.

Technical summary

CVE-2026-50197 is a vulnerability in Skipper, an HTTP router and reverse proxy for service composition. Prior to version 0.26.10, the OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. This could allow an attacker to send a full, attacker-controlled body to the upstream service. The issue is fixed in version 0.26.10. Affected product context includes Skipper versions prior to 0.26.10. Defensive impact includes potential security risks if not updated to the latest version.

Defensive priority

High

Recommended defensive actions

  • Update Skipper to version 0.26.10 or later
  • Review and monitor HTTP requests and responses for potential security risks
  • Implement additional security measures to prevent request-body inspection bypass
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record and NVD entry provide limited information about the vulnerability. Further investigation and testing are recommended to fully understand the impact of this vulnerability. Affected product deployments should be confirmed in managed environments, and an owner should be assigned for follow-up. The OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. This could allow an attacker to send a full, attacker-controlled body to the upstream service. Evidence limits suggest verifying affected scope, severity, and vendor guidance through official advisories or CVE records.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:24.087Z and has not been modified since then.