Deserialization in Spinnaker
CVE-2026-44795
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking…
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Spinnaker — versions >= 2025.4.0, < 2025.4.4, >= 2026.0.0, < 2026.0.3, < 2025.3.3
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-44795?
- CVE-2026-44795 is a high-severity vulnerability in Spinnaker, classified under Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection). CVSS score: 8.8/10. Published 2026-07-10.
- How severe is CVE-2026-44795?
- High severity. CVSS v3 base score is 8.8 out of 10.