CRITICAL🇵🇱 Wersja polska

CVE-2026-32604

CVSS 9.9v3.1pub. 2026-04-20upd. 2026-04-23

Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.

🤖 AI Analysis
How it works

The vulnerability results from insufficient input validation (CWE-20) when handling gitrepo artifacts. An attacker with basic platform access can craft a request that will cause arbitrary system commands to be executed directly in the context of clouddriver pods. This mechanism does not require sophisticated techniques or elevated privileges — the attack vector is network-based, and the attack complexity is low.

Impact

Attackers can gain access to stored credentials, delete system files, or inject resources into infrastructure managed by Spinnaker. As a result, complete takeover of continuous delivery pipelines and cloud environments is possible.

Mitigation & patch

Spinnaker should be updated to version 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2, which contain the fix. As a workaround until the patch is deployed, it is recommended to disable gitrepo artifact type support.

Who is affected

Spinnaker (Linux Foundation) — all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Linuxfoundation Spinnaker

    APP
    Linuxfoundation
    < 2025.3.22025.4.0 – 2025.4.2 (bez)2026.0.0 – 2026.0.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-32613CRITICAL9.9PL ✓ten sam produkt

Spinnaker Echo: nieograniczony dostęp SPeL umożliwia RCE

CVE-2021-43832CRITICAL10.0ten sam produkt

Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allo...

CVE-2025-61916HIGH7.9ten sam produkt

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, a...

CVE-2020-9301HIGH8.8ten sam produkt

Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior...

CVE-2023-39348MEDIUM4.0ten sam produkt

Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status ...