{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32613", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T14:54:24.271Z", "datePublished": "2026-04-20T20:07:24.697Z", "dateUpdated": "2026-04-22T03:56:18.686Z"}, "containers": {"cna": {"title": "Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6"}, {"name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2"}, {"name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2"}, {"name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1"}], "affected": [{"vendor": "spinnaker", "product": "spinnaker", "versions": [{"version": "< 2026.0.1", "status": "affected"}, {"version": "< 2025.4.2", "status": "affected"}, {"version": "< 2025.3.2", "status": "affected"}, {"version": "< 2026.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T20:08:54.702Z"}, "descriptions": [{"lang": "en", "value": "Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely."}], "source": {"advisory": "GHSA-69rw-45wj-g4v6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-32613"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T03:56:18.686Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32613", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T18:04:19.716920Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:04:25.577Z"}}], "cna": {"title": "Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling", "source": {"advisory": "GHSA-69rw-45wj-g4v6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "spinnaker", "product": "spinnaker", "versions": [{"status": "affected", "version": "< 2026.0.1"}, {"status": "affected", "version": "< 2025.4.2"}, {"status": "affected", "version": "< 2025.3.2"}, {"status": "affected", "version": "< 2026.1.0"}]}], "references": [{"url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6", "name": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2", "name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2", "name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1", "name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T20:08:54.702Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32613", "state": "PUBLISHED", "dateUpdated": "2026-04-22T03:56:18.686Z", "dateReserved": "2026-03-12T14:54:24.271Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T20:07:24.697Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely."}], "id": "CVE-2026-32613", "lastModified": "2026-04-21T16:20:24.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T21:16:32.623", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.0.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2025.4.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2025.3.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "spinnaker", "source": "cna", "vendor": "spinnaker"}, "product": "spinnaker", "vendor": "spinnaker"}], "analysis": {"en": {"generated_at": "2026-04-21T00:00:50.114156+00:00", "value": {"mitigation_remediation": ["Upgrade Spinnaker to a patched release (2026.1.0 or newer, 2026.0.1, 2025.4.2, or 2025.3.2).", "If an upgrade is not immediately possible, disable the Echo service entirely to remove the vulnerable expression parsing path.", "After remediation, monitor Spinnaker logs for suspicious SpEL evaluations and restrict custom artifact processing to trusted classes only."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Spinnaker, an open\u2011source, multi\u2011cloud continuous delivery platform. Versions before 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 are vulnerable. Patches are included in releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. Earlier releases do not contain the fix.", "description_and_impact": "Spinnaker\u2019s Echo component parses Spring Expression Language (SpEL) expressions that relate to expected artifacts. In versions older than 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, the SpEL context was not limited to a whitelist of trusted classes, giving an attacker full access to the Java Virtual Machine. This flaw can allow arbitrary Java class loading and execution, including running system commands, reading or writing files, and other actions that compromise confidentiality, integrity, and availability. The vulnerability corresponds to CWE-94, an injection flaw that enables code execution.", "risk_and_exploitability": "The CVSS score is 10, indicating a severe risk. The EPSS score is not available, so the likelihood of exploitation cannot be quantified from the available data. The vulnerability is not listed in the CISA KEV catalog. Perhaps the most likely attack vector is an authenticated user who crafts malicious SpEL expressions within artifact configurations; a pass\u2011the\u2011hash or privilege escalation scenario could also be feasible because the untrusted context allows arbitrary JVM access. If an attacker can supply these expressions, they can execute arbitrary code on the Spinnaker host."}}}}, "created": "2026-04-21T00:15:16.113032+00:00", "updated": "2026-04-22T11:47:15.505964+00:00", "vendors": ["spinnaker", "spinnaker$PRODUCT$spinnaker"]}