Threat Advisory

Spinnaker Echo Vulnerability Enables Remote Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Spinnaker continuous delivery platform, specifically affecting the io.spinnaker.echo:echo-pipelinetriggers and io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo packages. These vulnerabilities enable remote code execution (RCE) due to unrestricted context handling in the expression parsing of SPeL (Spring Expression Language) and improper sanitization of user input on branch and paths in the gitrepo artifact types. Business risk and impact are significant, as these vulnerabilities could allow an attacker to invoke commands, access files, and inject resources, potentially exposing sensitive information, disrupting services, or causing data loss.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Spinnaker continuous delivery platform, specifically affecting the io.spinnaker.echo:echo-pipelinetriggers and io.spinnaker.clouddriver:clouddriver-artifacts-gitrepo packages. These vulnerabilities enable remote code execution (RCE) due to unrestricted context handling in the expression parsing of SPeL (Spring Expression Language) and improper sanitization of user input on branch and paths in the gitrepo artifact types. Business risk and impact are significant, as these vulnerabilities could allow an attacker to invoke commands, access files, and inject resources, potentially exposing sensitive information, disrupting services, or causing data loss.[emaillocker id="1283"]

  • CVE-2026-32613 with a CVSS score of 10.0 – A remote attacker can exploit unrestricted context handling in the expression parsing of SPeL to execute arbitrary Java classes, allowing deep access to the system and enabling the ability to invoke commands, access files, etc.
  • CVE-2026-32604 with a CVSS score of 10.0 – A remote attacker can exploit improper sanitization of user input on branch and paths in the gitrepo artifact types to execute arbitrary commands on the clouddriver pods, exposing credentials, removing files, or injecting resources.

The identified vulnerabilities pose a significant risk to organizations utilizing the Spinnaker platform, potentially leading to data breaches, service disruptions, or financial losses. Exploitation of these vulnerabilities could result in unauthorized access to sensitive information, compromise of system integrity, and availability of critical services.

RECOMMENDATION:

We recommend you to update maven/io.spinnaker.echo:echo-pipelinetriggers to version 2026.0.1, 2025.4.2, or 2025.3.2.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-69rw-45wj-g4v6
https://github.com/advisories/GHSA-x3j7-7pgj-h87r

[/emaillocker]
crossmenu