What is CVE-2026-25534?

CVE-2026-25534 is a critical-severity vulnerability in Io.spinnaker.clouddriver Clouddriver-artifacts, classified under Server-Side Request Forgery (SSRF). CVSS score: 9.1/10. Published 2026-03-17.

How severe is CVE-2026-25534?

Critical severity. CVSS v3 base score is 9.1 out of 10.

SSRF in Io.spinnaker.clouddriver Clouddriver-artifacts

CVE-2026-25534

### Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.001 (19.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L.

Affected products

Io.spinnaker.clouddriver Clouddriver-artifacts — versions < 2025.2.4, >= 2025.3.0, < 2025.3.1, >= 2025.4.0, < 2025.4.1
Io.spinnaker.orca Orca-core — versions < 2025.2.4, >= 2025.3.0, < 2025.3.1, >= 2025.4.0, < 2025.4.1

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/spinnaker/spinnaker/security/advisories/GHSA-8r8j-gfhg-fw38 (x_refsource_CONFIRM)
https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h (x_refsource_MISC)
https://github.com/spinnaker/spinnaker/commit/7c4737906239a958a468e843239c6785b03d0eda (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-25534?: CVE-2026-25534 is a critical-severity vulnerability in Io.spinnaker.clouddriver Clouddriver-artifacts, classified under Server-Side Request Forgery (SSRF). CVSS score: 9.1/10. Published 2026-03-17.
How severe is CVE-2026-25534?: Critical severity. CVSS v3 base score is 9.1 out of 10.