CVE-2026-32604 PUBLISHED

Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths

Assigner: GitHub_M
Reserved: 12.03.2026 Published: 20.04.2026 Updated: 20.04.2026

Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	spinnaker
Product	spinnaker
Versions	Version < 2026.0.1 is affected Version < 2025.4.2 is affected Version < 2025.3.2 is affected Version < 2026.1.0 is affected

References

Problem Types

CWE-20: Improper Input Validation CWE