CVE-2026-32604

Medienbericht

EPSS 0.08%
Veröffentlicht 20.04.2026 20:00:57
Zuletzt bearbeitet 23.04.2026 18:30:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths

Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linuxfoundation ≫ Spinnaker Version < 2025.3.2

Linuxfoundation ≫ Spinnaker Version >= 2025.4.0 < 2025.4.2

Linuxfoundation ≫ Spinnaker Version >= 2026.0.0 < 2026.0.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.236

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html

Media Report

https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r

Vendor Advisory

Mitigation

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2

Product

Release Notes

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2

Product

Release Notes

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1