RCE in Spinnaker
CVE-2026-32613
Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 20…
Vulnerability class: RCE (Remote Code Execution)
EPSS: 0.000 (9.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Spinnaker — versions < 2026.0.1, < 2025.4.2, < 2025.3.2
Weakness classification (CWE)
References
- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6 (x_refsource_CONFIRM)
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2 (x_refsource_MISC)
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2 (x_refsource_MISC)
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-32613?
- CVE-2026-32613 is a critical-severity vulnerability in Spinnaker, classified under Code Injection. CVSS score: 10.0/10. Published 2026-04-20.
- How severe is CVE-2026-32613?
- Critical severity. CVSS v3 base score is 10.0 out of 10.