CRITICAL🇵🇱 Wersja polska

CVE-2026-32613

CVSS 9.9v3.1pub. 2026-04-20upd. 2026-04-23

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

🤖 AI Analysis
How it works

The Echo component uses SPeL to process information about expected artifacts. Unlike the Orca component, Echo did not restrict the context of expression evaluation to a trusted set of classes — attackers had access to the full JVM environment. An authenticated user could invoke arbitrary Java classes in a crafted SPeL expression, allowing execution of system commands, file read and write operations, and other operating system level operations.

Impact

An attacker with regular user privileges can remotely execute arbitrary code (RCE) on the server hosting Spinnaker, gaining full access to the file system, processes, and network resources, which may lead to complete compromise of the continuous delivery environment.

Mitigation & patch

Spinnaker should be updated to version 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2, which contain appropriate patches. As a workaround, it is possible to completely disable the Echo component, which eliminates the attack vector at the cost of losing associated functionality.

Who is affected

Spinnaker (Linux Foundation) in all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Linuxfoundation Spinnaker

    APP
    Linuxfoundation
    < 2025.3.22025.4.0 – 2025.4.2 (bez)2026.0.0 – 2026.0.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-32604CRITICAL9.9PL ✓ten sam produkt

RCE w Spinnaker — wykonanie dowolnych poleceń na podach clouddriver

CVE-2021-43832CRITICAL10.0ten sam produkt

Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allo...

CVE-2025-61916HIGH7.9ten sam produkt

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, a...

CVE-2020-9301HIGH8.8ten sam produkt

Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior...

CVE-2023-39348MEDIUM4.0ten sam produkt

Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status ...