CVE-2026-50197
Summary
zalando/skipper's OpenPolicyAgent integration silently bypasses request-body
inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that
omit the content-length pseudo-header. When the
opaAuthorizeRequestWithBody filter is configured, the
OpenPolicyAgentInstance.ExtractHttpBodyOptionally helper produces an
empty raw_body for any request whose Content-Length header is missing,
while the underlying chunked body still flows through to the upstream
service. Rego policies that gate on input.parsed_body (e.g. "deny when a
forbidden field is present") evaluate against an empty document, treat the
forbidden field as absent, and authorize the request. The upstream handler
then receives the full attacker payload that the policy intended to block.
Affected versions
github.com/zalando/skipper versions <= v0.26.8 (the latest release on
2026-05-26, current master 4eed47ff). The vulnerable helper and gate
have lived in filters/openpolicyagent/openpolicyagent.go since the
buffered-body extractor was introduced; no released version contains the
fix at the time of filing.
Privilege required
Unauthenticated network access to the skipper proxy listener. The threat
model targets operators who place skipper in front of a private upstream
and rely on opaAuthorizeRequestWithBody to enforce body-content checks
(field allow/deny lists, payload schema gates, content-moderation flags,
multi-tenant per-action authorization). Both HTTP/1.1 and HTTP/2 clients
are affected; HTTP/2 traffic without a content-length pseudo-header is
the dominant case because Go's net/http sets
http.Request.ContentLength = -1 for chunked HTTP/1.1 AND for HTTP/2
requests whose framing carries the body as DATA frames without an explicit
length header.
Root cause
filters/openpolicyagent/openpolicyagent.go:1242-1269 (HEAD 4eed47ff):
func bodyUpperBound(contentLength, maxBodyBytes int64) int64 {
if contentLength <= 0 {
return maxBodyBytes
}
if contentLength < maxBodyBytes {
return contentLeng
⚡ Watch CVE-2026-50197
Get an email if CVE-2026-50197 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-50197)