Summary zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthoriz…
| CVE ID | CVE-2026-50197 |
| Vendor | go |
| Affected Product | github.com/zalando/skipper |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.7 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
zalando/skipper's OpenPolicyAgent integration silently bypasses request-bodyinspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the OpenPolicyAgentInstance.ExtractHttpBodyOptionally helper produces an empty raw_body for any request whose Content-Length header is missing, while the underlying chunked body still flows through to the upstream service. Rego policies that gate on input.parsed_body (e.g. "deny when a forbidden field is present") evaluate against an empty document, treat the forbidden field as absent, and authorize the request. The upstream handler then receives the full attacker payload that the policy intended to block.
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.