NVD Vulnerability Detail
Search Exploit, PoC
CVE-2026-32613
Summary

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

Publication Date April 21, 2026, 6:16 a.m.
Registration Date April 25, 2026, 4:02 a.m.
Last Update April 24, 2026, 3:30 a.m.
CVSS3.1 : CRITICAL
スコア 9.9
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
攻撃元区分(AV) ネットワーク
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR)
利用者の関与(UI) 不要
影響の想定範囲(S) 変更あり
機密性への影響(C)
完全性への影響(I)
可用性への影響(A)
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:* 2025.3.2
cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:* 2025.4.0 2025.4.2
cpe:2.3:a:linuxfoundation:spinnaker:*:*:*:*:*:*:*:* 2026.0.0 2026.0.1
Related information, measures and tools
Common Vulnerabilities List