๐Ÿ” CVE Alert

CVE-2026-44795

HIGH 8.8

Spinnaker: Non-safe yaml deserialization allowing RCE when using specific types

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. The use of a non-safe constructor allows arbitrary loading of Java classes, leading to remote code execution. This issue is fixed in versions 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3.

CWE CWE-470 CWE-502
Vendor spinnaker
Product spinnaker
Published Jul 10, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for spinnaker spinnaker

Be the first to know when new high vulnerabilities affecting spinnaker spinnaker are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

spinnaker / spinnaker
>= 2025.4.0, < 2025.4.4 >= 2026.0.0, < 2026.0.3 < 2025.3.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/spinnaker/spinnaker/security/advisories/GHSA-c8q4-9h32-2ww8 github.com: https://github.com/spinnaker/spinnaker/commit/4cbe1d5fea9df573aadfd8b093fb4b594b354ee5 github.com: https://github.com/spinnaker/spinnaker/commit/e57c0db4584b398473a7bbb19402ce6c1e89b627 github.com: https://github.com/spinnaker/spinnaker/commit/f69d7b534d068ed74d0d3a1fbf17e2c945d36e5e