Plataforma
go
Componente
github.com/zalando/skipper
Corregido en
0.24.1
0.24.0
CVE-2026-24470 is a high-severity vulnerability affecting the Skipper Ingress Controller. This flaw allows unauthorized external access to internal services through improper handling of the ExternalName configuration. Affected versions are those prior to 0.24.0. A fix has been released in version 0.24.0, addressing the issue.
The vulnerability arises from Skipper's handling of ExternalName resources within Kubernetes. An attacker can craft a malicious ExternalName configuration that points to an external service, effectively bypassing Skipper's intended access controls. This allows them to directly access internal services that should be protected. The potential impact includes unauthorized data access, modification, or deletion, as well as the ability to pivot and compromise other systems within the Kubernetes cluster. The blast radius extends to any internal service exposed via ExternalName, potentially impacting sensitive applications and data.
This CVE was publicly disclosed on 2026-02-02. There is currently no indication of active exploitation in the wild, but the vulnerability's ease of exploitation warrants immediate attention. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature suggests that a PoC could be developed relatively easily. It is not currently listed on the CISA KEV catalog.
Organizations deploying Skipper Ingress Controller in Kubernetes environments, particularly those relying on ExternalName configurations for service discovery, are at risk. Environments with less stringent Kubernetes access controls or those using shared Kubernetes clusters are especially vulnerable.
• linux / server:
journalctl -u skipper-ingress-controller -g 'ExternalName' | grep -i error• generic web:
curl -I <skipper-ingress-controller-url>/ -H 'Host: malicious.example.com'Check for unexpected responses or redirects. • go: Inspect Skipper Ingress Controller source code for improper ExternalName validation logic.
disclosure
Estado del Exploit
EPSS
0.03% (9% percentil)
CISA SSVC
Vector CVSS
The primary mitigation is to upgrade the Skipper Ingress Controller to version 0.24.0 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider temporarily restricting access to the ExternalName resource within your Kubernetes cluster. Implement network policies to limit inbound traffic to Skipper and restrict outbound traffic from Skipper to only necessary destinations. Carefully review all existing ExternalName configurations for any anomalies or suspicious entries. After upgrading, verify the fix by attempting to access internal services via a crafted ExternalName configuration – access should be denied.
Actualice Skipper a la versión 0.24.0 o superior. Como alternativa, configure una lista de permitidos para los destinos de ExternalName y habilite la lista de permitidos mediante expresiones regulares para mitigar el riesgo de acceso no autorizado a servicios internos.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-24470 is a high-severity vulnerability in Skipper Ingress Controller that allows unauthorized external access to internal services via ExternalName configurations.
You are affected if you are using Skipper Ingress Controller versions prior to 0.24.0 and have ExternalName configurations.
Upgrade Skipper Ingress Controller to version 0.24.0 or later. Consider restricting access to ExternalName resources as a temporary workaround.
There is currently no indication of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the official Skipper project repository and release notes for the latest advisory: https://github.com/zalando/skipper
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.