Platform
go
Component
github.com/zalando/skipper
Fixed in
0.24.1
0.24.0
CVE-2026-24470 is a high-severity vulnerability affecting the Skipper Ingress Controller. This flaw allows unauthorized external access to internal services through improper handling of the ExternalName configuration. Affected versions are those prior to 0.24.0. A fix has been released in version 0.24.0, addressing the issue.
The vulnerability arises from Skipper's handling of ExternalName resources within Kubernetes. An attacker can craft a malicious ExternalName configuration that points to an external service, effectively bypassing Skipper's intended access controls. This allows them to directly access internal services that should be protected. The potential impact includes unauthorized data access, modification, or deletion, as well as the ability to pivot and compromise other systems within the Kubernetes cluster. The blast radius extends to any internal service exposed via ExternalName, potentially impacting sensitive applications and data.
This CVE was publicly disclosed on 2026-02-02. There is currently no indication of active exploitation in the wild, but the vulnerability's ease of exploitation warrants immediate attention. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature suggests that a PoC could be developed relatively easily. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the Skipper Ingress Controller to version 0.24.0 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider temporarily restricting access to the ExternalName resource within your Kubernetes cluster. Implement network policies to limit inbound traffic to Skipper and restrict outbound traffic from Skipper to only necessary destinations. Carefully review all existing ExternalName configurations for any anomalies or suspicious entries. After upgrading, verify the fix by attempting to access internal services via a crafted ExternalName configuration – access should be denied.
Update Skipper to version 0.24.0 or higher. Alternatively, configure an allowlist for ExternalName destinations and enable the allowlist using regular expressions to mitigate the risk of unauthorized access to internal services.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24470 is a high-severity vulnerability in Skipper Ingress Controller that allows unauthorized external access to internal services via ExternalName configurations.
You are affected if you are using Skipper Ingress Controller versions prior to 0.24.0 and have ExternalName configurations.
Upgrade Skipper Ingress Controller to version 0.24.0 or later. Consider restricting access to ExternalName resources as a temporary workaround.
There is currently no indication of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the official Skipper project repository and release notes for the latest advisory: https://github.com/zalando/skipper
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.