CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-659f-rgp5-w4wf: Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests

highCVSS 8.7CVE-2026-50197
Summary zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the OpenPolicyAgentInstance.ExtractHttpBodyOptionally helper produces an empty raw_body for any request whose Content-Length header is missing, while the underlying chunked body still flows through to the upstream service. Rego policies that gate on input.parsed_body (e.g. "deny when a forbidden field is present") evaluate against an empty document, treat the forbidden field as absent, and authorize the request. The upstream handler then receives the full attacker payload that the policy intended to block. Affected versions github.com/zalando/skipper versions <= v0.26.8 (the latest release on 2026-05-26, current master 4eed47ff). The vulnerable helper and gate have lived in filters/openpolicyagent/openpolicyagent.go since the buffered-body extractor was introduced; no released version contains the fix at the time of filing. Privilege required Unauthenticated network access to the skipper proxy listener. The threat model targets operators who place skipper in front of a private upstream and rely on opaAuthorizeRequestWithBody to enforce body-content checks (field allow/deny lists, payload schema gates, content-moderation flags, multi-tenant per-action authorization). Both HTTP/1.1 and HTTP/2 clients are affected; HTTP/2 traffic without a content-length pseudo-header is the dominant case because Go's net/http sets http.Request.ContentLength = -1 for chunked HTTP/1.1 AND for HTTP/2 requests whose framing carries the body as DATA frames without an explicit length header. Root cause filters/openpolicyagent/openpolicyagent.go:1242-1269 (HEAD 4eed47ff): func bodyUpperBound(contentLength, maxBodyBytes int64) int64 { if contentLength <= 0 { return maxBodyBytes } if contentLength < maxBodyBytes { return contentLeng

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 8.7
Published
2026-07-08
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-659f-rgp5-w4wf

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-50197coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories