CVE-2026-32613

CRITICAL LAB

Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling

Title source: cna
STIX 2.1

Description

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

Exploits (1)

github WORKING POC
by ZeroPathAI · pythonpoc
https://github.com/ZeroPathAI/spinnaker-poc

References (5)

Scores

CVSS v3 9.9
EPSS 0.0008
EPSS Percentile 22.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull spinnaker-base:local
docker pull minio/minio:latest
docker pull minio/mc:latest
docker pull osixia/openldap:1.5.0
docker pull docker.elastic.co/elasticsearch/elasticsearch:7.17.15

Details

CWE
CWE-94
Status published
Products (6)
io.spinnaker.echo/echo-pipelinetriggers 2026.0-0 - 2026.0.1Maven
linuxfoundation/spinnaker < 2025.3.2
spinnaker/spinnaker < 2025.3.2
spinnaker/spinnaker < 2025.4.2
spinnaker/spinnaker < 2026.0.1
spinnaker/spinnaker < 2026.1.0
Published Apr 20, 2026
Tracked Since Apr 21, 2026