Description
### Impact
Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result.

### Patches
This has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0.

### Workarounds
You can disable the various artifacts on this system to work around these limits.
Published: 2026-03-17
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

This vulnerability arises from a flaw in Spinnaker’s URL validation logic, where Java URL objects fail to handle underscores in hostnames correctly. The result is a validation bypass that reproduces the conditions of the earlier CVE‑2025‑61916 and allows an attacker to supply crafted URLs that are treated as safe. The impact is a potential for arbitrary code execution or control over the Spinnaker deployment, as malicious URLs may be executed by the system when processed by clouddriver or orca.

Affected Systems

Affected products include io.spinnaker.clouddriver:clouddriver-artifacts and io.spinnaker.orca:orca-core. The vulnerability affects all earlier releases and is fixed in 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0, so any instance running a version before these is vulnerable.

Risk and Exploitability

The vulnerability receives a CVSS score of 9.1, indicating a high risk of exploitation. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is remote, requiring an attacker to supply a malicious URL to a user‑facing endpoint; no local privilege escalation or other initial access requirements are noted in the provided description.

Generated by OpenCVE AI on March 17, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spinnaker clouddriver to version 2025.4.1 or later (including 2026.0.0).
  • Upgrade Spinnaker orca to version 2025.4.1 or later (including 2026.0.0).
  • If an immediate upgrade is not possible, disable the affected artifacts on the system as a temporary mitigation.

Generated by OpenCVE AI on March 17, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8r8j-gfhg-fw38 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
History

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Spinnaker
Spinnaker clouddriver-artifacts
Spinnaker orca
Vendors & Products Spinnaker
Spinnaker clouddriver-artifacts
Spinnaker orca

Tue, 17 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description ### Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE (CVE-2025-61916) through the use of carefully crafted URLs. Note, Spinnaker found this not just in that CVE, but in the existing URL validations in Orca fromUrl expression handling. This CVE impacts BOTH artifacts as a result. ### Patches This has been merged and will be available in versions 2025.4.1, 2025.3.1, 2025.2.4 and 2026.0.0. ### Workarounds You can disable the various artifacts on this system to work around these limits.
Title Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Spinnaker Clouddriver-artifacts Orca
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T17:58:31.817Z

Reserved: 2026-02-02T19:59:47.373Z

Link: CVE-2026-25534

cve-icon Vulnrichment

Updated: 2026-03-17T17:58:26.142Z

cve-icon NVD

Status : Deferred

Published: 2026-03-17T18:16:15.063

Modified: 2026-04-16T14:46:24.290

Link: CVE-2026-25534

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:48:59Z

Weaknesses