CVE-2026-32613

{"id": "CVE-2026-32613", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2026-04-20T21:16:32.623", "references": [{"url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://zeropath.com/blog/spinnaker-rce-production-compromise", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely."}], "lastModified": "2026-04-23T18:30:37.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B7FB62-8F2B-479F-9A67-BF089F62CBD8", "versionEndExcluding": "2025.3.2"}, {"criteria": "cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46906F2E-400B-4A1F-A36D-C9BD40E9E7D0", "versionEndExcluding": "2025.4.2", "versionStartIncluding": "2025.4.0"}, {"criteria": "cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "667562C0-156D-4D2B-A446-67A2EBFB4CEF", "versionEndExcluding": "2026.0.1", "versionStartIncluding": "2026.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}