CVE-2026-50197

Zalando · Skipper

Zalando Skipper is vulnerable to HTTP request smuggling due to inconsistent interpretation of HTTP requests between the proxy and backend services.

Executive summary

A high-severity HTTP request smuggling vulnerability in Zalando Skipper could allow attackers to bypass security controls and compromise downstream services.

Vulnerability

The application suffers from inconsistent interpretation of HTTP requests (CWE-444), commonly referred to as HTTP Request Smuggling. This allows an unauthenticated remote attacker to potentially poison caches or hijack connections between the proxy and backend services.

Business impact

This vulnerability carries a CVSS score of 7.8, indicating a significant risk to data integrity and system security. If exploited, an attacker could bypass authentication, access sensitive data, or perform actions on behalf of other users, leading to a loss of confidentiality and control over service composition.

Remediation

Immediate Action: Update Zalando Skipper to version 0.26.10 or later immediately.

Proactive Monitoring: Monitor traffic logs for suspicious HTTP header patterns or requests that deviate from standard protocol compliance.

Compensating Controls: Utilize a robust WAF to inspect and normalize incoming HTTP traffic, which can help detect and block smuggling attempts.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Organizations utilizing Skipper as their reverse proxy must deploy the latest update to ensure consistent HTTP request handling. Failure to patch may expose the entire service mesh to unauthorized request manipulation.