CVE-2026-32604
Received
Published: 20 Apr 2026, 20:00
Last modified:20 Apr 2026, 20:07
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
10 CRITICAL
v3.1 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
20 Apr 2026, 20:00
Published
Vulnerability first disclosed
20 Apr 2026, 20:07
Last Modified
Vulnerability information updated
Description
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types.
CVSS Metrics
- v3.1•CRITICAL•Score: 10CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Techniques & Countermeasures
- CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Affected Systems
- spinnaker•spinnaker
< 2026.0.1 | < 2025.4.2 | < 2025.3.2 | < 2026.1.0
References (4)
- https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2
- https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1