CVE-2026-32604
Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths
CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
0th
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.
| CWE | CWE-20 |
| Vendor | spinnaker |
| Product | spinnaker |
| Published | Apr 20, 2026 |
| Last Updated | Apr 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for spinnaker spinnaker
Be the first to know when new critical vulnerabilities affecting spinnaker spinnaker are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
spinnaker / spinnaker
< 2026.0.1 < 2025.4.2 < 2025.3.2 < 2026.1.0
References
github.com: https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r github.com: https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2 github.com: https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2 github.com: https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1