{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32604", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T14:54:24.270Z", "datePublished": "2026-04-20T20:00:57.517Z", "dateUpdated": "2026-04-23T16:28:39.326Z"}, "containers": {"cna": {"title": "Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r"}, {"name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2"}, {"name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2"}, {"name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1"}], "affected": [{"vendor": "spinnaker", "product": "spinnaker", "versions": [{"version": "< 2026.0.1", "status": "affected"}, {"version": "< 2025.4.2", "status": "affected"}, {"version": "< 2025.3.2", "status": "affected"}, {"version": "< 2026.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T20:07:31.157Z"}, "descriptions": [{"lang": "en", "value": "Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types."}], "source": {"advisory": "GHSA-x3j7-7pgj-h87r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-32604"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T03:56:17.486Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-23T16:28:39.326Z"}, "references": [{"url": "https://zeropath.com/blog/spinnaker-rce-production-compromise"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://zeropath.com/blog/spinnaker-rce-production-compromise"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-23T16:28:39.326Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32604", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T17:36:42.610812Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:36:52.187Z"}}], "cna": {"title": "Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths", "source": {"advisory": "GHSA-x3j7-7pgj-h87r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "spinnaker", "product": "spinnaker", "versions": [{"status": "affected", "version": "< 2026.0.1"}, {"status": "affected", "version": "< 2025.4.2"}, {"status": "affected", "version": "< 2025.3.2"}, {"status": "affected", "version": "< 2026.1.0"}]}], "references": [{"url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r", "name": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2", "name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2", "name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1", "name": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T20:07:31.157Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32604", "state": "PUBLISHED", "dateUpdated": "2026-04-23T16:28:39.326Z", "dateReserved": "2026-03-12T14:54:24.270Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T20:00:57.517Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:*", "matchCriteriaId": "07B7FB62-8F2B-479F-9A67-BF089F62CBD8", "versionEndExcluding": "2025.3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:*", "matchCriteriaId": "46906F2E-400B-4A1F-A36D-C9BD40E9E7D0", "versionEndExcluding": "2025.4.2", "versionStartIncluding": "2025.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:*", "matchCriteriaId": "667562C0-156D-4D2B-A446-67A2EBFB4CEF", "versionEndExcluding": "2026.0.1", "versionStartIncluding": "2026.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types."}], "id": "CVE-2026-32604", "lastModified": "2026-04-23T18:30:30.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T21:16:32.457", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/spinnaker/spinnaker/security/advisories/GHSA-x3j7-7pgj-h87r"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://zeropath.com/blog/spinnaker-rce-production-compromise"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.0.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2025.4.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2025.3.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "spinnaker", "source": "cna", "vendor": "spinnaker"}, "product": "spinnaker", "vendor": "spinnaker"}], "analysis": {"en": {"generated_at": "2026-04-21T00:01:01.485353+00:00", "value": {"mitigation_remediation": ["Upgrade to any of the patched Spinnaker releases \u2013 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2 \u2013 which contain the input sanitization fix.", "If an upgrade cannot be performed immediately, disable the gitrepo artifact type in all pipeline configurations to eliminate the attack surface.", "Restrict configuration permissions to trusted operators and enable audit logging to detect any unauthorized changes to gitrepo artifact definitions."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All Spinnaker installations built with the open source Spinnaker platform in versions prior to 2026.1.0, 2026.0.1, 2025.4.2, or 2025.3.2 are vulnerable. The vulnerability is fixed in releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2.", "description_and_impact": "The vulnerability is an input validation flaw that permits a malicious actor to specify arbitrary branch names and paths for gitrepo artifacts, enabling remote code execution on the clouddriver pods. An attacker who can configure such artifacts can run arbitrary shell commands, potentially exposing credentials, deleting files, or injecting additional resources. The flaw is a severe RCE (CWE\u201120) with a CVSS score of 10, indicating full compromise of the affected instance.", "risk_and_exploitability": "The CVSS score demonstrates maximum severity, while the EPSS score is not provided, leaving the likelihood of exploitation uncertain. The flaw is listed as not present in CISA KEV, indicating no actively exploited instances reported as of the last update. The attack vector is inferred to require an attacker who can inject configuration into a Spinnaker pipeline or artifact definition, typically through the UI or API, to supply malicious branch or path values; with such access, arbitrary commands can be executed on the underlying clouddriver pods."}}}}, "created": "2026-04-21T00:15:16.113387+00:00", "updated": "2026-04-22T11:47:16.642945+00:00", "vendors": ["spinnaker", "spinnaker$PRODUCT$spinnaker"]}