The Dual CVSS 10.0 RCE Flaws Threatening Spinnaker Pipelines

A pair of critical remote code execution (RCE) vulnerabilities has been disclosed in Spinnaker, the heavyweight open-source platform used by tech giants like Adobe, Airbnb, and JPMorgan Chase to manage multi-cloud deployments.

Both vulnerabilities have received a rare and maximum CVSS score of 10.0, signaling the highest possible level of risk to software supply chains.

The first critical flaw, tracked as CVE-2026-32604, targets Spinnaker’s Clouddriver service, which is responsible for interacting with various cloud providers. This vulnerability is triggered when using gitrepo artifact types.

The vulnerability stems from the improper sanitization of user-provided input within the “branch” and “paths” fields of a gitrepo artifact. Because this input is not correctly validated, a malicious actor can inject shell commands that the system then executes.

A bad actor can execute arbitrary commands very simply on the clouddriver pods. This level of access allows an attacker to expose sensitive credentials, delete critical files, or inject malicious resources into the deployment environment.

The second flaw, tracked as CVE-2026-32613, involves Spinnaker’s Echo service, which handles notifications and event-driven tasks. Echo utilizes the Spring Expression Language (SPeL) to process information regarding expected artifacts.

While other Spinnaker services like ‘Orca’ restrict SPeL processing to a set of trusted classes, Echo was discovered to be running without these vital boundaries.

The service fails to restrict its context, allowing FULL JVM access. This enables a user to invoke arbitrary Java classes, providing deep system access to invoke commands and access files.

Organizations running the following versions are at risk:

• All versions prior to 2026.0.1
• All versions prior to 2025.4.2
• All versions prior to 2025.3.2

Security teams should prioritize updating to one of the following patched releases immediately:

• 2026.1.0
• 2026.0.1
• 2025.4.2
• 2025.3.2

If patching is not immediately feasible, administrators should disable the gitrepo artifact types to mitigate CVE-2026-32604 and disable the Echo service entirely to mitigate CVE-2026-32613. Note that disabling Echo will significantly impact Spinnaker’s notification and automation capabilities.