When running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services.
https://github.com/zalando/skipper/releases/tag/v0.24.0 disables Kubernetes ExternalName by default.
Developers can allow list targets of an ExternalName by using -kubernetes-only-allowed-external-names=true and allow list via regular expressions -kubernetes-allowed-external-name '^[a-z][a-z0-9-.]+[.].allowed.example$'
https://kubernetes.io/docs/concepts/services-networking/service/#externalname
{
"nvd_published_at": "2026-01-26T23:16:09Z",
"github_reviewed_at": "2026-01-26T23:26:56Z",
"severity": "HIGH",
"cwe_ids": [
"CWE-441",
"CWE-918"
],
"github_reviewed": true
}