Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.
The vulnerability results from insufficient input validation (CWE-20) when handling gitrepo artifacts. An attacker with basic platform access can craft a request that will cause arbitrary system commands to be executed directly in the context of clouddriver pods. This mechanism does not require sophisticated techniques or elevated privileges — the attack vector is network-based, and the attack complexity is low.
Attackers can gain access to stored credentials, delete system files, or inject resources into infrastructure managed by Spinnaker. As a result, complete takeover of continuous delivery pipelines and cloud environments is possible.
Spinnaker should be updated to version 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2, which contain the fix. As a workaround until the patch is deployed, it is recommended to disable gitrepo artifact type support.
Spinnaker (Linux Foundation) — all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HLinuxfoundation Spinnaker
APPLinuxfoundation< 2025.3.22025.4.0 – 2025.4.2 (bez)2026.0.0 – 2026.0.1 (bez)
Related vulnerabilities
Spinnaker Echo: nieograniczony dostęp SPeL umożliwia RCE
Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allo...
Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, a...
Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior...
Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status ...