CVE-2026-32613

CRITICAL LAB

Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-32613. PoCs published by ZeroPathAI.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2026-32613, demonstrating SpEL RCE via expectedArtifacts in Spinnaker's Echo service. It includes a detailed technical writeup, setup scripts, and PoC code that achieves arbitrary command execution.

Description

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

Exploits (1)

github WORKING POC

by ZeroPathAI · pythonpoc

https://github.com/ZeroPathAI/spinnaker-poc

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2026-32613, demonstrating SpEL RCE via expectedArtifacts in Spinnaker's Echo service. It includes a detailed technical writeup, setup scripts, and PoC code that achieves arbitrary command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Spinnaker (Echo service)

Auth required

Prerequisites: Docker · Git · Python 3.10+ · uv · authenticated access to Spinnaker Gate

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 01, 2026 Full analysis →

References (5)

Core 5

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6

X_Refsource_Misc x_refsource_misc

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2

X_Refsource_Misc x_refsource_misc

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2

X_Refsource_Misc x_refsource_misc

https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1

Various Sources

https://zeropath.com/blog/spinnaker-rce-production-compromise

Scores

CVSS v3 9.9

EPSS 0.0055

EPSS Percentile 41.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull spinnaker-base:local

docker pull minio/minio:latest

docker pull minio/mc:latest

docker pull osixia/openldap:1.5.0

docker pull docker.elastic.co/elasticsearch/elasticsearch:7.17.15

https://github.com/ZeroPathAI/spinnaker-poc

View in Library

Details

CWE

CWE-94

Status published

Products (6)

io.spinnaker.echo/echo-pipelinetriggers 2026.0-0 - 2026.0.1Maven

linuxfoundation/spinnaker < 2025.3.2

spinnaker/spinnaker < 2025.3.2

spinnaker/spinnaker < 2025.4.2

spinnaker/spinnaker < 2026.0.1

spinnaker/spinnaker < 2026.1.0

Published Apr 20, 2026

Tracked Since Apr 21, 2026