Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.
The Echo component uses SPeL to process information about expected artifacts. Unlike the Orca component, Echo did not restrict the context of expression evaluation to a trusted set of classes — attackers had access to the full JVM environment. An authenticated user could invoke arbitrary Java classes in a crafted SPeL expression, allowing execution of system commands, file read and write operations, and other operating system level operations.
An attacker with regular user privileges can remotely execute arbitrary code (RCE) on the server hosting Spinnaker, gaining full access to the file system, processes, and network resources, which may lead to complete compromise of the continuous delivery environment.
Spinnaker should be updated to version 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2, which contain appropriate patches. As a workaround, it is possible to completely disable the Echo component, which eliminates the attack vector at the cost of losing associated functionality.
Spinnaker (Linux Foundation) in all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HLinuxfoundation Spinnaker
APPLinuxfoundation< 2025.3.22025.4.0 – 2025.4.2 (bez)2026.0.0 – 2026.0.1 (bez)
Related vulnerabilities
RCE w Spinnaker — wykonanie dowolnych poleceń na podach clouddriver
Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allo...
Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, a...
Nolan Ray from Apple Information Security identified a security vulnerability in Spinnaker, all versions prior...
Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status ...