Skipper's Slip-Up: Turning Kubernetes Ingress into an Internal Proxy
Vulnerability ID: CVE-2026-24470
CVSS Score: 8.1
Published: 2026-01-26
A high-severity SSRF vulnerability in Zalando Skipper allows attackers with Ingress creation privileges to route external traffic to internal cluster resources via Kubernetes ExternalName services.
TL;DR
Zalando Skipper (versions < 0.24.0) blindly trusted Kubernetes ExternalName services. By creating a Service pointing to an internal DNS name (like the Kubelet or Cloud Metadata) and an Ingress referencing it, a low-privileged user could proxy public traffic directly to sensitive internal infrastructure. The fix disables ExternalName support by default.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-918 (SSRF)
- CVSS v3.1: 8.1 (High)
- Attack Vector: Network
- Privileges Required: Low (Namespace Edit)
- Impact: Confidentiality, Integrity
- Class: Confused Deputy
Affected Systems
- Zalando Skipper < 0.24.0
- Kubernetes Clusters using Skipper as Ingress
-
Skipper: < 0.24.0 (Fixed in:
0.24.0)
Code Analysis
Commit: a4c87ce
Fix: introduce flag to enable/disable Kubernetes ExternalName services
Mitigation Strategies
- Disable ExternalName support (Default in 0.24.0+)
- Implement Strict Allow-listing for ExternalNames
- Network Segmentation (NetworkPolicies)
Remediation Steps:
- Upgrade Zalando Skipper to version 0.24.0 or later immediately.
- By default,
ExternalNamesupport is now disabled. Verify your valid use cases before deploying. - If you MUST use ExternalName services, enable them explicitly with
-enable-kubernetes-external-names. - Configure strict regex filtering using
-kubernetes-allowed-external-name(e.g.,^.*\.trusted-partner\.com$) to prevent routing to internal IPs.
References
Read the full report for CVE-2026-24470 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)