GHSA-8QQM-FP2Q-V734: Authorization Bypass in Skipper's Open Policy Agent Integration
Vulnerability ID: GHSA-8QQM-FP2Q-V734
CVSS Score: 8.2
Published: 2026-07-17
An authorization bypass vulnerability in the Open Policy Agent (OPA) integration of the Skipper HTTP router allows unauthenticated remote attackers to bypass OPA policy inspection. When an incoming HTTP request declares a Content-Length exceeding Skipper's configured maxBodyBytes limit, Skipper bypasses body parsing and forwards an empty document to OPA, while transmitting the full, uninspected payload intact to the upstream backend.
TL;DR
Oversized HTTP request bodies skip Skipper's OPA inspection filter but are still forwarded intact to backend microservices, causing deny-on-presence authorization checks to fail open.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS Score: 8.2
- Exploit Status: PoC Available
- Affected Component: filters/openpolicyagent
- Fixed Version: v0.27.26
Affected Systems
- Skipper Ingress Controller / Proxy
Code Analysis
Commit: 3152f3b
Fix: security opa authz bypass (#4041)
Mitigation Strategies
- Upgrade Skipper to version 0.27.26 or later.
- Explicitly update OPA Rego policies to fail-closed when input.attributes.request.http.truncated_body is true.
Remediation Steps:
- 1. Locate all ingress and routing policies utilizing OPA request body verification filter.
- 2. Implement package updates to Skipper v0.27.26 within your orchestrator deployment manifest.
- 3. Modify active OPA policies to evaluate the truncated_body property and deny requests when truncation occurs.
- 4. Deploy updated policies to OPA decision endpoints and perform verification testing using oversized requests.
References
- GHSA-8QQM-FP2Q-V734 Advisory
- GHSA-659f-rgp5-w4wf Advisory
- Code Fix Commit
- Official PR 4041
- Skipper v0.27.26 Release
Read the full report for GHSA-8QQM-FP2Q-V734 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)