CVE-2026-32613

CRITICAL 10.0

Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling

CVSS Score

10.0

EPSS Score

0.0%

EPSS Percentile

0th

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

CWE	CWE-94
Vendor	spinnaker
Product	spinnaker
Published	Apr 20, 2026
Last Updated	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for spinnaker spinnaker

Be the first to know when new critical vulnerabilities affecting spinnaker spinnaker are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

spinnaker / spinnaker

< 2026.0.1 < 2025.4.2 < 2025.3.2 < 2026.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6 github.com: https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2 github.com: https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2 github.com: https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1