Description

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

INFO

Published Date :

2026-04-20T20:07:24.697Z

Last Modified :

2026-04-23T16:30:05.001Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32613 vulnerability.

Vendors Products
Linuxfoundation
  • Spinnaker
Spinnaker
  • Spinnaker
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32613.

URL Resource
https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.3.2 cve-icon cve-icon
https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2025.4.2 cve-icon cve-icon
https://github.com/spinnaker/spinnaker/releases/tag/spinnaker-release-2026.0.1 cve-icon cve-icon
https://github.com/spinnaker/spinnaker/security/advisories/GHSA-69rw-45wj-g4v6 cve-icon cve-icon
https://zeropath.com/blog/spinnaker-rce-production-compromise cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact