Description
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.
Published: 2026-04-20
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an input validation flaw that permits a malicious actor to specify arbitrary branch names and paths for gitrepo artifacts, enabling remote code execution on the clouddriver pods. An attacker who can configure such artifacts can run arbitrary shell commands, potentially exposing credentials, deleting files, or injecting additional resources. The flaw is a severe RCE (CWE‑20) with a CVSS score of 10, indicating full compromise of the affected instance.

Affected Systems

All Spinnaker installations built with the open source Spinnaker platform in versions prior to 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2 are vulnerable. The vulnerability is fixed in releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2.

Risk and Exploitability

The CVSS score demonstrates maximum severity, while the EPSS score is not provided, leaving the likelihood of exploitation uncertain. The flaw is listed as not present in CISA KEV, indicating no actively exploited instances reported as of the last update. The attack vector is inferred to require an attacker who can inject configuration into a Spinnaker pipeline or artifact definition, typically through the UI or API, to supply malicious branch or path values; with such access, arbitrary commands can be executed on the underlying clouddriver pods.

Generated by OpenCVE AI on April 21, 2026 at 00:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to any of the patched Spinnaker releases – 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2 – which contain the input sanitization fix.
  • If an upgrade cannot be performed immediately, disable the gitrepo artifact type in all pipeline configurations to eliminate the attack surface.
  • Restrict configuration permissions to trusted operators and enable audit logging to detect any unauthorized changes to gitrepo artifact definitions.

Generated by OpenCVE AI on April 21, 2026 at 00:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x3j7-7pgj-h87r Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths
History

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.
Title Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T20:07:31.157Z

Reserved: 2026-03-12T14:54:24.270Z

Link: CVE-2026-32604

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T21:16:32.457

Modified: 2026-04-20T21:16:32.457

Link: CVE-2026-32604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses