Description
Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.
Published: 2026-04-20
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

Spinnaker’s Echo component parses Spring Expression Language (SpEL) expressions that relate to expected artifacts. In versions older than 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, the SpEL context was not limited to a whitelist of trusted classes, giving an attacker full access to the Java Virtual Machine. This flaw can allow arbitrary Java class loading and execution, including running system commands, reading or writing files, and other actions that compromise confidentiality, integrity, and availability. The vulnerability corresponds to CWE-94, an injection flaw that enables code execution.

Affected Systems

The affected product is Spinnaker, an open‑source, multi‑cloud continuous delivery platform. Versions before 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 are vulnerable. Patches are included in releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. Earlier releases do not contain the fix.

Risk and Exploitability

The CVSS score is 10, indicating a severe risk. The EPSS score is not available, so the likelihood of exploitation cannot be quantified from the available data. The vulnerability is not listed in the CISA KEV catalog. Perhaps the most likely attack vector is an authenticated user who crafts malicious SpEL expressions within artifact configurations; a pass‑the‑hash or privilege escalation scenario could also be feasible because the untrusted context allows arbitrary JVM access. If an attacker can supply these expressions, they can execute arbitrary code on the Spinnaker host.

Generated by OpenCVE AI on April 21, 2026 at 00:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spinnaker to a patched release (2026.1.0 or newer, 2026.0.1, 2025.4.2, or 2025.3.2).
  • If an upgrade is not immediately possible, disable the Echo service entirely to remove the vulnerable expression parsing path.
  • After remediation, monitor Spinnaker logs for suspicious SpEL evaluations and restrict custom artifact processing to trusted classes only.

Generated by OpenCVE AI on April 21, 2026 at 00:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-69rw-45wj-g4v6 Spinnaker: RCE via expression parsing due to unrestricted context handling
History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.
Title Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:50:20.102Z

Reserved: 2026-03-12T14:54:24.271Z

Link: CVE-2026-32613

cve-icon Vulnrichment

Updated: 2026-04-21T18:04:25.577Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T21:16:32.623

Modified: 2026-04-21T16:20:24.180

Link: CVE-2026-32613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses