CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-50197

highCVSS 8.7covered by 1 sourcefirst seen 2026-07-08
Summary zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the OpenPolicyAgentInstance.ExtractHttpBodyOptionally helper produces an empty raw_body for any request whose Content-Length header is missing, while the underlying chunked body still flows through to the upstream service. Rego policies that gate on input.parsed_body (e.g. "deny when a forbidden field is present") evaluate against an empty document, treat the forbidden field as absent, and authorize the request. The upstream handler then receives the full attacker payload that the policy intended to block. Affected versions github.com/zalando/skipper versions <= v0.26.8 (the latest release on 2026-05-26, current master 4eed47ff). The vulnerable helper and gate have lived in filters/openpolicyagent/openpolicyagent.go since the buffered-body extractor was introduced; no released version contains the fix at the time of filing. Privilege required Unauthenticated network access to the skipper proxy listener. The threat model targets operators who place skipper in front of a private upstream and rely on opaAuthorizeRequestWithBody to enforce body-content checks (field allow/deny lists, payload schema gates, content-moderation flags, multi-tenant per-action authorization). Both HTTP/1.1 and HTTP/2 clients are affected; HTTP/2 traffic without a content-length pseudo-header is the dominant case because Go's net/http sets http.Request.ContentLength = -1 for chunked HTTP/1.1 AND for HTTP/2 requests whose framing carries the body as DATA frames without an explicit length header. Root cause filters/openpolicyagent/openpolicyagent.go:1242-1269 (HEAD 4eed47ff): func bodyUpperBound(contentLength, maxBodyBytes int64) int64 { if contentLength <= 0 { return maxBodyBytes } if contentLength < maxBodyBytes { return contentLeng

⚡ Watch CVE-2026-50197

Get an email if CVE-2026-50197 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-50197

CVE.org record

Embed the live status

CVE-2026-50197 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-50197 status](https://www.csirts.com/badge/CVE-2026-50197)](https://www.csirts.com/cve/CVE-2026-50197)