9.9

CVE-2026-32604

Medienbericht

Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths

Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxfoundationSpinnaker Version < 2025.3.2
LinuxfoundationSpinnaker Version >= 2025.4.0 < 2025.4.2
LinuxfoundationSpinnaker Version >= 2026.0.0 < 2026.0.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.61% 0.443
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 9.9 3.1 6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
27.04.2026 17:36
https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r
Vendor Advisory
Mitigation
https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2
Product
Release Notes
https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2
Product
Release Notes
https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1
Product
Release Notes
https://zeropath.com/blog/spinnaker-rce-production-compromise