CVE-2026-55175 PUBLISHED

Spinnaker: Improper yaml processing on kustomize bake operations

Assigner: GitHub_M
Reserved: 16.06.2026 Published: 10.07.2026 Updated: 10.07.2026

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pods when performing Kustomize bakes. This issue is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.5

Product Status

Vendor spinnaker
Product spinnaker
Versions
  • Version >= 2026.1.0, < 2026.1.1 is affected
  • Version >= 2026.0.0, < 2026.0.3 is affected
  • Version >= 2025.4.0, < 2025.4.4 is affected
  • Version < 2025.3.4 is affected

References

Problem Types

  • CWE-502: Deserialization of Untrusted Data CWE